MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f
SHA3-384 hash:	89f979d2ec56b81addc700d6e99a09528c9b8cf9297f9ac81b3aad4e30697175a6327183b3598960f658b6339301d29a
SHA1 hash:	3f2f57c040c38c961619441e68eef426fc306ed3
MD5 hash:	c2294a4e0d8113786d829d363b075a5b
humanhash:	illinois-robert-fillet-september
File name:	C2294A4E0D8113786D829D363B075A5B.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	32'256 bytes
First seen:	2021-04-26 06:21:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:wpJ+6dGPHwVicRTrwu9g6BDqJUXMGIxYexrX75gAsuQjbfllButrUs4l8Bvryokk:wpk6PRgqgeqeMzys75gAsuellBKk8Sk
Threatray	282 similar samples on MalwareBazaar
TLSH	29E24C1477B7E727CFE817B880FB2B1C82B4980FB015E72B0CA890D35E576966685F61
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.142.215.63:30297

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.142.215.63:30297	https://threatfox.abuse.ch/ioc/10020/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

C2294A4E0D8113786D829D363B075A5B.exe

Verdict:

Malicious activity

Analysis date:

2021-04-26 06:23:14 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/29cce5ff-cab7-465a-9ece-908ba6a59f5e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/144216/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.64671.17041.24503.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Sending a UDP request

Sending an HTTP POST request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dfe45f6d-7971-4ba6-8c5e-7c4052a27e1e

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/697366

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-04-22 19:29:44 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hehntpojg5q24urqyqpuv3ytwxgnccar3vzyo2lx44kfki672m7q._file

Verdict:

malicious

RedLineStealer

2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef

RedLineStealer

48d55a8e6eec21f1eddc457886a42a5d0660b3cdae4ca286029868024d7a390f

RedLineStealer

6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f

RedLineStealer

8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce

RedLineStealer

999ad238e43d208d395a64d425f40fb1b41f0c9e70624c194e8562c6dc191caa

RedLineStealer

9a048c8436c448e99a3a7047781ddc5d14a323660bd69f9fd7432c316083e3b6

RedLineStealer

a0e27e9c690f3635e024021f5a106807511a035380a4af4441adaeb45f4f3189

RedLineStealer

a7c2a6377df88d4b4645dfa97aaf4dcef4239ca97de556f1f55962fada7f3d3c

RedLineStealer

c7d5dd0beceb52c4fff552eaaabea06762ef25df633576867798137dbfe8dc8d

RedLineStealer

+ 272 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:4212021 infostealer spyware

Link:

https://tria.ge/reports/210426-48wz373fpa/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.142.215.63:30297

Unpacked files

SH256 hash:

390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f

MD5 hash:

c2294a4e0d8113786d829d363b075a5b

SHA1 hash:

3f2f57c040c38c961619441e68eef426fc306ed3

Link:

https://www.unpac.me/results/28c9214f-da4e-4d7d-9f79-d2010ddaef4f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/144216/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample