MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37
SHA3-384 hash:	0ca95dc70ee27c172a9c09bbf5a22a0c4126cf2f2c390c8136a501e5d3ac52a7b53167913ae3d4dd068563e8bf3992c8
SHA1 hash:	bd7153b8b6b7c02cd4b5750def0f7282a4cf91ec
MD5 hash:	20e5f0cea84c5c3e17bebddecf04126d
humanhash:	summer-fix-comet-oranges
File name:	20e5f0cea84c5c3e17bebddecf04126d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	326'144 bytes
First seen:	2021-09-25 08:57:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7be124dd1509e56149d37e4e5fc24f60 (5 x RedLineStealer, 4 x RaccoonStealer, 2 x Smoke Loader)
ssdeep	6144:rBZQVtRfVBGel7qJ7Wc6S9K8F3TQAUTIyrwMC7t:tZkfVBGelW0c6kZFDQAUTIyO
Threatray	6'413 similar samples on MalwareBazaar
TLSH	T10364BF20B6E0C039F1B752F449BA93ACA83D7EB15B3491CB62D616EE56346E8DC30357
File icon (PE):
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.142.77.155:5469

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.142.77.155:5469	https://threatfox.abuse.ch/ioc/226453/

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

20e5f0cea84c5c3e17bebddecf04126d.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 08:59:51 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/522ff3d8-f68c-4f59-8452-cc94492dbef5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191410/

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4b511b83-334a-4b6a-bf35-d9c2e2449b08

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857865

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-19 19:58:48 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7jsa67sv7ipz25zf6vall7b2qhvjje7g5f572cfk3q4iggrny3q._file

Verdict:

malicious

RedLineStealer

3b6b17e3b6a37bab2f7c435a31348c7abc3590275c6c087d50f68bf6b4b89f55

RedLineStealer

4396ca0aae315ad2bba765753f85606a95e5309acde75f3577d93b282f35aba4

RedLineStealer

50d3dfa972fb43c58c72d366db9066f59a7e0cbd62380a3447f8afe911ecdfef

RedLineStealer

6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c

RedLineStealer

8832cf1dd4faca7dbfad5d6629a6a5e6feab4e15f97655179f91283283a4d51e

RedLineStealer

a008bb0729de684e5924e241190f6ac3d3fcc780cc409449a594e4fb9a1e8bed

RedLineStealer

bc622f5729f264d9943fdbfda5bacb5f8654c7bbbeada1a58da252434dee4f1f

RedLineStealer

eed60b9749e55ab52634fcc2befd94a17eca1e4b31af3eefd5593c0f1ce7083f

RedLineStealer

f10ffeebd78935f24834715bee622216e9e6349c2562ca4216b3f4b7a0163672

RedLineStealer

+ 6'403 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:silicate 1k discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-kw7g1sahc3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

91.142.77.155:5469

Unpacked files

SH256 hash:

9e295bb9a1379b18e0373d6aef96ef3ac19211c867de97194d16dbfc254b5dca

MD5 hash:

8c9202bc4335a116b7f397c3fb11ca98

SHA1 hash:

b9ba8107e7230ce4b453ed7dc2c8f147442d3321

Link:

https://www.unpac.me/results/33b83ae9-92f6-4ae8-9c94-7bab84406e1a/

SH256 hash:

69e9cb205b97230456bc3ff0cb7588197d1e37099023870ddba4d797aa8f103b

MD5 hash:

f5adc37db6fe2ed19f4f3be943b459e0

SHA1 hash:

9c5e181c22d9a53add9590b9395b9a9e9508e1c9

Link:

https://www.unpac.me/results/33b83ae9-92f6-4ae8-9c94-7bab84406e1a/

SH256 hash:

309b014e1373d431531cd45cb0048f5a11f4956e0142bf483ed92c1f0f517076

MD5 hash:

ac725b42be0bf699caa86958f2db7289

SHA1 hash:

5cc40a5b91f25ce681fe7da5274ec6dc9d3de1c2

Link:

https://www.unpac.me/results/33b83ae9-92f6-4ae8-9c94-7bab84406e1a/

SH256 hash:

2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37

MD5 hash:

20e5f0cea84c5c3e17bebddecf04126d

SHA1 hash:

bd7153b8b6b7c02cd4b5750def0f7282a4cf91ec

Link:

https://www.unpac.me/results/33b83ae9-92f6-4ae8-9c94-7bab84406e1a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191410/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample