MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd
SHA3-384 hash:	fd17d6708dce96b65624b64064ddb5b80ce71352dc7ba31742d0d5bce42ca60ea35e6ecd590990d2839f8a333ec69de7
SHA1 hash:	cd56f43f752119f219a1beaf718b27d62a996cac
MD5 hash:	f769ca5373645cd66c464033c4bc456e
humanhash:	sad-nineteen-apart-delaware
File name:	380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	448'000 bytes
First seen:	2021-12-26 12:55:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	98739c67eeb8bc24f0458b0e56f33db8 (9 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	12288:i2tNUl1yjdVQkAkosZEhlPHi6qSRU/yXHN:iA+IjjQkXbZcPHiqR4
TLSH	T11394AE10A7A0C034F1B352F489B9A275B53F7AA16B2891CB53E12BFE96355E0ED31347
File icon (PE):
dhash icon	b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.253:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.253:11452	https://threatfox.abuse.ch/ioc/287667/

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e.exe

Verdict:

Malicious activity

Analysis date:

2021-12-26 12:58:51 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/90ad1704-15b9-405c-b614-a4417c4a89b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/216439/

Detection(s):

Win.Packed.Ulise-9917518-0

Win.Packed.Generic-9918586-0

Win.Packed.Generic-9918587-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3274/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61c86665ec6c6c14a9f4377f/reports/f4b79b16-ec2a-42c1-a450-aa86f83646cf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be6fe54d-4966-48fd-adef-400b1fba015b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/912935

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-12-26 12:56:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hagnq5w5hj634r36u7hkur7gy4xfhj3c6ds6csvl7ddroarsl7oq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/211226-p6cslsaahq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

91df0d77d4d0028bd5930c8550a8b330a355f3fa524c254226377efd1e884f40

MD5 hash:

71573520048ef86308ebf0bd87855553

SHA1 hash:

b8cfd64d323899a304d43ae80374fc918e7d279e

Link:

https://www.unpac.me/results/f2ee0ef0-5f78-4cab-84e0-405ae209bdcf/

SH256 hash:

be026055f79b1a0cc7cc40649dccd9117f49045d64aea5014774b84b7f453e11

MD5 hash:

bdceb449c081d20384cbd5f122cf4e67

SHA1 hash:

ab2d5317d10a25bef7acc6c05855134008ede7c4

Link:

https://www.unpac.me/results/f2ee0ef0-5f78-4cab-84e0-405ae209bdcf/

SH256 hash:

b696a116f1955982df56a4ac4eed6c91fe6839742eade0805733cf94022a62ca

MD5 hash:

fff2a80da07d1ec6891f8ecca7616369

SHA1 hash:

15263b4c110a01297d9d8523a3e5320f8eb75f5f

Link:

https://www.unpac.me/results/f2ee0ef0-5f78-4cab-84e0-405ae209bdcf/

SH256 hash:

380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd

MD5 hash:

f769ca5373645cd66c464033c4bc456e

SHA1 hash:

cd56f43f752119f219a1beaf718b27d62a996cac

Link:

https://www.unpac.me/results/f2ee0ef0-5f78-4cab-84e0-405ae209bdcf/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/380cd876dd3a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216439/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample