MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8
SHA3-384 hash:	04dcd1966cec338ac7c91179476c95b48993c08052724b4a3c6aa419fd20745de64358ca87e546067c99b0b1444b7573
SHA1 hash:	f57437771079b447da43cc5149878451aa3ff991
MD5 hash:	a334bba57cf1ef94247ced1ebe8e0416
humanhash:	carpet-mirror-cola-fillet
File name:	a334bba57cf1ef94247ced1ebe8e0416.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	428'032 bytes
First seen:	2022-01-15 07:22:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	44ee62a4400af83b87d8ba40d9bab42b (6 x RedLineStealer, 2 x RaccoonStealer, 2 x OnlyLogger)
ssdeep	6144:NWJfMGA9pqEzxErJb+1sWJ/6Xp2wywpDsZm9yM4lKAEIjlzuzbgwu:iWcigJbkP/Qp2wywFyM4lREIjlzunn
Threatray	4'375 similar samples on MalwareBazaar
TLSH	T1DF94E0317AECC432CC9314314861C9E19E3AF8715D64AA4B77542B6A9F30E8CB7E275E
File icon (PE):
dhash icon	fcfc94d4d4d4d8c8 (6 x RedLineStealer, 1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.81.115.42:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.81.115.42:80	https://threatfox.abuse.ch/ioc/295374/

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a334bba57cf1ef94247ced1ebe8e0416.exe

Verdict:

Malicious activity

Analysis date:

2022-01-15 07:27:30 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f704b62a-ddc8-494c-86b0-a01bd13eb03a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/219439/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.30569.UNOFFICIAL

Win.Malware.Generic-9935569-0

Win.Malware.Generic-9935598-0

Win.Trojan.Generic-9935605-0

Win.Malware.Crypterx-9935837-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4237/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61e27659f2e8ec86fe00a156/reports/94da12db-4b11-423d-87dd-47e27f2f2aa4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2313ddb-648a-47e2-9038-61be44e8158c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/921067

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-12 07:30:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

40 of 43 (93.02%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gpxw5zqnz2lch5sh3ussib5hihotfpvj43ehhdn6h72x4jx7p7ua._file

Verdict:

malicious

RedLineStealer

15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d

RedLineStealer

24d0c7fc16543210f15df3cac94b24d5454b30249a48d91056eb52b111978616

RedLineStealer

2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702

RedLineStealer

6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3

RedLineStealer

70831e7594148907df98df900a7d00a5da4613ee0394787dd2fa32f9719737b1

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

+ 4'365 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220115-h7tdesdehj/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

28e3caf0c5480fb5d24b8d1092b957255ee47574584a34a7cf8d2842b0421a3b

MD5 hash:

26110ad8f79edb59615b25f963366413

SHA1 hash:

ed38b8030a1aea13493040dac091944efb6eef76

Link:

https://www.unpac.me/results/2ed26a62-adb6-41cb-b7be-34e61dec5b3f/

SH256 hash:

8853f27f5affde110e2c4b4a37594ce585e68f2d61a66b1eee149d273a9de71d

MD5 hash:

9a2c5be833faaa0c3f60c10710720c9b

SHA1 hash:

58dad2df14540509abca63846d5cedf418bf4600

Link:

https://www.unpac.me/results/2ed26a62-adb6-41cb-b7be-34e61dec5b3f/

SH256 hash:

0a708080b000dda8e4452fcb53332e59ffd66214618da355c88afd6c716744c2

MD5 hash:

67b1dbde6adc599d1d2bcc84827f7fe4

SHA1 hash:

134a51d9111f19a476d5e599e7733cb5a884d2fd

Link:

https://www.unpac.me/results/2ed26a62-adb6-41cb-b7be-34e61dec5b3f/

SH256 hash:

33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8

MD5 hash:

a334bba57cf1ef94247ced1ebe8e0416

SHA1 hash:

f57437771079b447da43cc5149878451aa3ff991

Link:

https://www.unpac.me/results/2ed26a62-adb6-41cb-b7be-34e61dec5b3f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219439/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample