MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fea32cb89d30feb0410d01ce7f3c5e59e17895a08b5c946e0c1c157e47db978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	2fea32cb89d30feb0410d01ce7f3c5e59e17895a08b5c946e0c1c157e47db978
SHA3-384 hash:	b251fe6c118baeaa31a95ff7a0677a26eb53f5a7b761fd49f14c05d0b8639d2c6636b538ba95fbe1a0c07fcfdda6d6a9
SHA1 hash:	c7391d38a4c98984517ba05179a52a3b3d73e9b7
MD5 hash:	0409b13768d355fe82969a83678df44a
humanhash:	mango-vermont-item-violet
File name:	0409b13768d355fe82969a83678df44a
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	315'904 bytes
First seen:	2022-06-09 16:01:20 UTC
Last seen:	2022-06-09 16:39:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	78d26c9d6f2c9d23af6542e6624e3f43 (8 x Amadey, 2 x Smoke Loader, 2 x RedLineStealer)
ssdeep	6144:Cal/SYSFwnUnkaeESDfVm2t6POkoqsZrQuWa:Cal6rF7aEEUrOe6rQq
Threatray	5'476 similar samples on MalwareBazaar
TLSH	T19264F140FBBEC836E0731E301DB0D6629A3A798265758A9F776406785FB0EC0E679353
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

0409b13768d355fe82969a83678df44a

Verdict:

Malicious activity

Analysis date:

2022-06-09 16:12:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/1b71d830-5341-4a7a-864c-8c719e08e8e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/278437/

Detection(s):

SecuriteInfo.com.Variant.Mikey.138304.10590.31244.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Query of malicious DNS domain

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed ransomware

Link:

https://www.filescan.io/uploads/62a2198e9bbf30d03f464a11/reports/1729dfbc-15fc-4da6-a454-4d109bb542e9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/635d4ccb-a37a-476e-a8d8-051f11973abe

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010163

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fea32cb89d30feb0410d01ce7f3c5e59e17895a08b5c946e0c1c157e47db978/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-09 11:29:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7vdfs4j2mh6wbaq2aoop46f4wpbpck2bc24srxayhavpzd5xf4a._file

Verdict:

malicious

RedLineStealer

5b27a94d4bc1f2d123666bcbab54f08c42d736953e9189e9ff917a256c8657a6

RedLineStealer

884bec8d35a2a1f84dbb50d62b9a1e0abdd0ef8f3b09521508fae751e04e2db1

RedLineStealer

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

RedLineStealer

b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319

RedLineStealer

c404cc3a18e98ff81b63518df694118ecdec9948ce72f511cc828f93af5c4e7e

RedLineStealer

ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48

RedLineStealer

+ 5'466 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:privatos discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220609-tgryfseaf5/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.75:81

Unpacked files

SH256 hash:

52c5350fe8ad7ed4143cdc44620726cd22947be2b002d301cf4d1ca50f259237

MD5 hash:

6ae35ec22e5c3988ee72566da6b9d36e

SHA1 hash:

aa04b83a444a23f0fd96c29e53b9a630a7056dd6

Link:

https://www.unpac.me/results/1745c501-a676-4906-8f33-2b08ce6031c6/

SH256 hash:

7110d4c4c813967155c49d7c75067e4ac4ab36d88c491d550df684884a8466b9

MD5 hash:

35aaee9bc6a9ec938d896cddc234a68c

SHA1 hash:

7c689923c79b99e2a686bf03fa201f460cadfccf

Link:

https://www.unpac.me/results/1745c501-a676-4906-8f33-2b08ce6031c6/

SH256 hash:

9c2910ca8d353362055003385747776b01cddd6c68c850e1f74a7af48310e98d

MD5 hash:

5ebbecdb1c5ee85925eb643bb50204dc

SHA1 hash:

05458171499d8d4e1bd959e8c1f5f295da2d70c3

Link:

https://www.unpac.me/results/1745c501-a676-4906-8f33-2b08ce6031c6/

SH256 hash:

2fea32cb89d30feb0410d01ce7f3c5e59e17895a08b5c946e0c1c157e47db978

MD5 hash:

0409b13768d355fe82969a83678df44a

SHA1 hash:

c7391d38a4c98984517ba05179a52a3b3d73e9b7

Link:

https://www.unpac.me/results/1745c501-a676-4906-8f33-2b08ce6031c6/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2fea32cb89d3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fea32cb89d30feb0410d01ce7f3c5e59e17895a08b5c946e0c1c157e47db978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.