MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680
SHA3-384 hash: 0d7b4f1bfa342e91db4dd8f4af695a2cbf51f5dcf9727c6812a46be5da8d159d21bcc7ba9e37d3dba152a4abf2c089e5
SHA1 hash: 59e5502d6c3ed46080f72ce6297577988b5a4543
MD5 hash: b486e660a5325fa3fb08517723fc2acd
humanhash: zebra-five-jig-muppet
File name:Installer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'310'852 bytes
First seen:2022-05-27 13:05:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89757deda76ff34613a913675f115eab (3 x RedLineStealer)
ssdeep 24576:usIapPA8tmJ6aPvd2rcmo2qQ3BY/RxVwnTTD4A53PkJGbOgLIKzuQ5V3h3KK:usIapPA88JtV2nWdVwz4AdkJqt
Threatray 3'140 similar samples on MalwareBazaar
TLSH T10FB509035A8B4E75DDC33BB461CB633A9734EE30CA2A9B7FF609C53599532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.173.38.88:7231 https://threatfox.abuse.ch/ioc/642413/

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
No threats detected
Analysis date:
2022-05-27 13:09:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aede74d5-aecf-4708-b051-654b2aef89cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274950/
Detection(s):
Win.Packed.Crypterx-9940465-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/6290ccd5206e081618413639/reports/5b7c09f5-91de-4976-99f7-8476f8e77343/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/519f80d6-9c50-46af-b0e7-0f39d2375219
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002629
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 07:33:00 UTC
File Type:
PE (Exe)
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fijcg5nni2gpoluhxqt3f652qzsmz7d5y3lauwoxtehi326f62aa._file
Verdict:
malicious
Similar samples:
20579be1049258522233c39acfae3076c8af1c64aadcd2ec2f68e00c683fe229
RedLineStealer
2d2e2ad393b62986226d97b0430b25b5c5dfe5f7cb79f0aa4957631615bd441e
RedLineStealer
2dde8c2841248eedeec0a51cde97d147760c02e2d60d6f4d4f48758c0f3b6ea7
RedLineStealer
61993e08ea08b735c8966bea3c2cab4dbd2c62ccd1ad88ec42c59e1a9a8f8c71
RedLineStealer
7958f57fe4870d26058bc345be95cdbaab420bcf13817b716bdfb89bf9ae0dd5
RedLineStealer
9081075827ae06456b3d6d0e025fc92fc0f586f1b21a7d59a698a0d16860cdfb
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
+ 3'130 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220527-qb3wzsegem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
185.173.38.88:7231
Unpacked files
SH256 hash:
1a6f547365537e9dcd4eb60ee0fcf9c405541ddd7cadd15a3547e725e6879438
MD5 hash:
387fbdb7c43279da6e798ded23881ae6
SHA1 hash:
945c401e7ce651633ea2c8ec04e24b564a095331
Link:
https://www.unpac.me/results/2b54bdec-8ffa-4d4c-a6ff-ac998ab84a42/
SH256 hash:
2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680
MD5 hash:
b486e660a5325fa3fb08517723fc2acd
SHA1 hash:
59e5502d6c3ed46080f72ce6297577988b5a4543
Link:
https://www.unpac.me/results/2b54bdec-8ffa-4d4c-a6ff-ac998ab84a42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/274950/

Comments