MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1
SHA3-384 hash: a7a542b363bee3843171e786f77821a8b14c72f247314fef3dc762b334531c37c772df43d487063660a31b2015b2d19d
SHA1 hash: 2600415a5987d45fed12bc8eae6477481f688955
MD5 hash: 01499b64de474ec77e9656f3592c31a6
humanhash: butter-zebra-enemy-mango
File name:01499b64de474ec77e9656f3592c31a6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:222'448 bytes
First seen:2021-12-04 06:41:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:GU19dgkQKKO+WCUMOqibM6gT7Tpae9qVfboRaYr+WPNWdt+QUde+9BV8vM2QHW2v:GU196KI/UA2TBWPgGddeQ2Gh
Threatray 182 similar samples on MalwareBazaar
TLSH T1AB244B1C7748E920DBFC457AC8F1111093F6D896D147F71BA9C072D92993BEAEA01ACB
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Errhines
Issuer:Errhines
Algorithm:sha1WithRSAEncryption
Valid from:2021-11-21T21:00:00Z
Valid to:2031-11-28T21:00:00Z
Serial number: 1326fc1fda50b8a14ec15b20d618fb71
Thumbprint Algorithm:SHA256
Thumbprint: e42ecf52ef6e435443059efa9318f55c0a42428bea7c56df147fdf23790296ed
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
93.115.27.141:28269

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.115.27.141:28269 https://threatfox.abuse.ch/ioc/259350/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01499b64de474ec77e9656f3592c31a6.exe
Verdict:
Malicious activity
Analysis date:
2021-12-04 06:45:52 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6cd6c1d2-ae36-4ae8-89e2-3c46e33dfa32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211206/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool obfuscated overlay packed packed redline stealer
Link:
https://www.filescan.io/uploads/61ab0dc1fa72c81b5b0a9f3a/reports/be586294-7028-4862-b97a-4ed4da846858/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25620a2e-52af-4d16-b457-238f4244fad0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/901294
Signature
.NET source code contains potential unpacker
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 21:21:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hde37rkvotgxulhv34z5fctq4n3cfo427e4wvyc2romqtlz66oqq._file
Verdict:
malicious
Similar samples:
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
RedLineStealer
20363f9d72c4503b4fa41bcbc0e69b62b2e05e4878ce6fe443f0a488f0777fef
RedLineStealer
6093384421389c5a04411fe0807a20ec283ef9bbb248baddce5307cdf38153cb
RedLineStealer
957ed2e3e12649457ccc30d7c67b31d3362460c9aa1b38208c522959e779610b
RedLineStealer
98c7b1a7626c14161e352f06407631aea8221bc95ca5fa4c08e0ebc8d8b9c9f2
RedLineStealer
e7d90e82ce6b6d2233f2afd0cbd1d7256497d5c4020b903d40a25b153dc9cfb5
RedLineStealer
+ 172 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery spyware stealer
Link:
https://tria.ge/reports/211204-hgd6taaecl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1
MD5 hash:
01499b64de474ec77e9656f3592c31a6
SHA1 hash:
2600415a5987d45fed12bc8eae6477481f688955
Link:
https://www.unpac.me/results/fb43e743-8917-4a9b-9312-8c8990cd1a83/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/38c9bfc55574/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 38c9bfc55574cd7a2cf5df33d28a70e37622bb9af9396ae05a8b9909af3ef3a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849967/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211206/

Comments