MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88
SHA3-384 hash: 6fe254903aa1ea52c978171a6cb6829c4d4f42b7aef522b25ac876a8c084df7b03aa194a12a84f0bb1af8786a1d682ce
SHA1 hash: a585e9913d39f48ed7dc1a294f69de5d9466fff2
MD5 hash: 1597323acab489ee1798a38278a08b2f
humanhash: alanine-floor-jupiter-fourteen
File name:1597323acab489ee1798a38278a08b2f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:104'960 bytes
First seen:2022-03-09 19:26:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:p0DEkCrsG2IxAacZr8eudVAqHp+yfW632hDoj64buTxvIsHhiLM:p4CrsGh592opQobO9HwY
Threatray 4'813 similar samples on MalwareBazaar
TLSH T1EFA34D6973DD4628F5FE4EB468B1519153F0F1A2AC03F79E4EC4E09D1926B80DB22BB1
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
138.124.180.81:6482

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
138.124.180.81:6482 https://threatfox.abuse.ch/ioc/393330/

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248856/
Detection(s):
Win.Trojan.Redline-9938775-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated redline
Link:
https://www.filescan.io/uploads/6228ff8db94fb38cb44a432d/reports/d5a824d1-df12-49bb-ba06-d3e2196e3e4c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8b1bf03-6448-4210-a98a-12461c9a490b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/953605
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 02:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwbog5jbeomkcpapdl3dhbaugu2m5lvm7yfp3hzrnpl2jf6xvsea._file
Verdict:
malicious
Similar samples:
2843266d15224e0cc4dbcb65e7711c495698e8564aa5568ccba42f740fc1a3e4
RedLineStealer
aaab95522dafbf95c7822847422e93687ac5c2f327ee93c9e38738a1cfaddc34
RedLineStealer
b9b38b6fc352f4c3753aede91685065a79737687194bd12a9ae785a93855c3dc
RedLineStealer
ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b
RedLineStealer
e56725877b62f2a5804e1793035b8d788980e607ae9fbf79b050a09a85fa9843
RedLineStealer
f4e287439a21158230026a83cead6e14fce27dd6527976fbd480a00260b98fbd
RedLineStealer
+ 4'803 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220309-x545gabed2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
138.124.180.81:6482
Unpacked files
SH256 hash:
2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88
MD5 hash:
1597323acab489ee1798a38278a08b2f
SHA1 hash:
a585e9913d39f48ed7dc1a294f69de5d9466fff2
Link:
https://www.unpac.me/results/728acacc-9367-4f59-9997-386f01a62886/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2d82e3752123/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086585/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248856/

Comments