MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdff8f44ae6bbd5aaacb51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdff8f44ae6bbd5aaacb51
SHA3-384 hash:	4fc2dfc6020a4abb7f4bc8373cc089b8ea95915abf6f6398fe16b1bf2df9b1fd6f79bedf1df600c6f1122cd38d6cf6b4
SHA1 hash:	79a62d275702d22dc2f39fbfb9631c190c437be8
MD5 hash:	e0f1022c3b042a5eff062405b9e5d116
humanhash:	cat-bluebird-oxygen-green
File name:	389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdf.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	408'576 bytes
First seen:	2022-03-21 13:17:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5761b9d43ffb6d646c886cb4b6f3b2d2 (6 x RedLineStealer, 2 x Stop, 1 x RaccoonStealer)
ssdeep	6144:qRdF6mOwj1fKJWGBw1QFobP2qNoXE/P0TIoJWOMqxzf9/Jo:EimOwj1iJHBTSbPZkBQIx7p
Threatray	1'946 similar samples on MalwareBazaar
TLSH	T16794DF40B6A0C03DF1B312F8B87AD369652EB9A15B2055CF62D62BDF16346E4ECB1317
File icon (PE):
dhash icon	8c4c8eeeaa8ecc8e (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.203:44310

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.203:44310	https://threatfox.abuse.ch/ioc/433005/

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253609/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10115/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62387b14dfdfa8501cc6f15c/reports/d8761315-5896-45bd-a8ef-6240030795b0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbb4bcc0-5c69-44fb-843c-6ca862a8cc0c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960780

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdff8f44ae6bbd5aaacb51/

Threat name:

Win32.Trojan.GenSHCode

Status:

Malicious

First seen:

2022-03-21 12:50:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hcnr3xjfzh5fmlebxv67hzum5xhtg73v4hg77d2evzv32wvkzniq._file

Verdict:

malicious

RedLineStealer

5dff2d96d80a1afa41f53607b42c45a3ea0484f01b4226b21f00e29ec53bd45a

RedLineStealer

7812f862a22c201df9d457e1fb874c95eec727fc3c09e7b7b4e63ee3e4019b05

RedLineStealer

a3f9d2f8201cd06a0a68841df40fba976c8b4ad6d3fd6ed067ced53507906911

RedLineStealer

a426c2090b8c2777661236aa54ce8eb143af9cc4c1aa8aa11261c6758a970921

RedLineStealer

debcda9c7b9d3d93a7bc542ed22f34f77e431518229e41779d1e8ccf5fc80b2e

RedLineStealer

f57c97c179d60db4d64c83ad25dab7b0b08474cd7191640631f88e4ebc4434c1

RedLineStealer

+ 1'936 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220321-qjy8rsced5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7dbba15216dafea3fd54f1321f9c34fac6866a99459ac9b00f58309df41f173b

MD5 hash:

2c776fa7b4a436f964034bee655bfd3d

SHA1 hash:

b9a5b20173fbca4b462a24c3c38bee89b5da799d

Link:

https://www.unpac.me/results/532ad85a-b22b-4e63-9ed0-cc0ea275dcde/

SH256 hash:

877d606cf958874907b1a6e571f41c444abeef23b3f856b580a051674db1daa8

MD5 hash:

ee70d7de1e8410fc20c45cb12570fde8

SHA1 hash:

638f5eb046cc44b081d26ede89902cd1ea3fc301

Link:

https://www.unpac.me/results/532ad85a-b22b-4e63-9ed0-cc0ea275dcde/

SH256 hash:

41854ba3f5041902a292db91f41bce73d68332c50aa2c5242f610ea900ba022a

MD5 hash:

62bd1559293069158dad284a4a038325

SHA1 hash:

4211bdd3a14010ee9dd2c7dae6c8d38b5e7dc147

Link:

https://www.unpac.me/results/532ad85a-b22b-4e63-9ed0-cc0ea275dcde/

SH256 hash:

389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdff8f44ae6bbd5aaacb51

MD5 hash:

e0f1022c3b042a5eff062405b9e5d116

SHA1 hash:

79a62d275702d22dc2f39fbfb9631c190c437be8

Link:

https://www.unpac.me/results/532ad85a-b22b-4e63-9ed0-cc0ea275dcde/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/389b1ddd25c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/389b1ddd25c9fa562c81bd7df3e68cedcf337f75e1cdff8f44ae6bbd5aaacb51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/253609/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample