MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 1 File information Comments

SHA256 hash:	2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80
SHA3-384 hash:	0d195876f7937511300a147366896e47b8c512277a3fc58344b056b844df753d9206ad5d83225703e2db1792ac1ffff3
SHA1 hash:	9a859bf6ee034b83acc4ac32bfe894b06a92ccdb
MD5 hash:	1b9d7e4365016ea9acffddfcb33dae6d
humanhash:	uranus-floor-oven-july
File name:	1b9d7e4365016ea9acffddfcb33dae6d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	372'736 bytes
First seen:	2022-05-06 08:21:08 UTC
Last seen:	2022-05-06 08:38:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a916e8b0d7c2c6fa3f2d0e67400f5178 (2 x RedLineStealer)
ssdeep	6144:+QYmU1EX5lTh2isXCzEGZNpW44VSvUuKiy6pMl1xAN1qOnef8M:+slX5B4isXCxZNB4svBfMl/uz
Threatray	4'301 similar samples on MalwareBazaar
TLSH	T1B484BE10BA90C035F0B716F44AB98368B53DBDE19B3495CB22D56AEE57792E0EC3071B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	33f0ccb2b2b23073 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.190:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.190:23196	https://threatfox.abuse.ch/ioc/548258/

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

1b9d7e4365016ea9acffddfcb33dae6d.exe

Verdict:

Malicious activity

Analysis date:

2022-05-06 08:25:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7892d907-3de5-47d0-a304-8b4fe2cbbe25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/269029/

Detection(s):

SecuriteInfo.com.Variant.Mikey.137117.3641.23289.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16506/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed ransomware

Link:

https://www.filescan.io/uploads/6274da7da40dfc4df20b1f3f/reports/e17b227b-4233-4ae5-a2a1-c6dad6d38718/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/362a66e0-98be-4e0d-a12e-36a9eabefb65

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/988965

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-05-06 08:22:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fu5gazjo6lxmrshhezxkhcy2ds6dnbjrkzd32o656yrsirezdsaa._file

Verdict:

malicious

RedLineStealer

1015e4e0a14c39d6a0471e62b945d16825870dddee1f653e567945d26854ffad

RedLineStealer

61908494916ed56bcbcdf4db45499ac7f46f7a8d3e06fb4a7ef5cfadd3741bae

RedLineStealer

6347eda7821b2807e969568f9125af76656c78f222ccf221efa4b8b2a23adf0e

RedLineStealer

b6c164faa4655101e48ad5b0216f77c606b3773770a5c2149943fc0f1895c625

RedLineStealer

bf68d399e2f7f4103d1eeba804afef71535a60d54e4b69a56330b115d18462df

RedLineStealer

+ 4'291 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220506-j9j37scchp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

9e8311bec1016714cd42f213b2dfa34f6289e79d68ba4d8b318f2e6b3d3d4534

MD5 hash:

e193fd1aac79751caa70881c3f8a6ee1

SHA1 hash:

c4240847913391dc16eafe6e7a85dfa74d3de706

Link:

https://www.unpac.me/results/b97a8441-1551-449e-9695-e56248437147/

SH256 hash:

ee226c68a7381f58c3a9549b07208c97d27410de2c96af5a4c4b56faef10f5fb

MD5 hash:

125ba3a5d30471d100afc886d4abb864

SHA1 hash:

8b92bc1d586a325a81af9fd959a560d7d1f2d411

Link:

https://www.unpac.me/results/b97a8441-1551-449e-9695-e56248437147/

SH256 hash:

2f1886b2fca83c1fab8c720629328df83006c9f1737917ed2defed9b28965012

MD5 hash:

3b33b6d0b3b715f189e88a040fd4fc94

SHA1 hash:

27fcb465517480c70732cec1c0ea0e4093bfabdf

Link:

https://www.unpac.me/results/b97a8441-1551-449e-9695-e56248437147/

SH256 hash:

2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80

MD5 hash:

1b9d7e4365016ea9acffddfcb33dae6d

SHA1 hash:

9a859bf6ee034b83acc4ac32bfe894b06a92ccdb

Link:

https://www.unpac.me/results/b97a8441-1551-449e-9695-e56248437147/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d3a60652ef2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.