MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee
SHA3-384 hash:	99ee5a38a78d06f2c682890c7b7ec39bd0f82980e128a3ddaf94d7c05ae0f252b245d41dd3af07f32423e41edf4f338e
SHA1 hash:	739d3bcb9e3f7fb685c191009ade96475d4778c5
MD5 hash:	086b9ca196e8b8b293af830f7eb44eb7
humanhash:	sink-summer-solar-mississippi
File name:	086b9ca196e8b8b293af830f7eb44eb7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	429'568 bytes
First seen:	2022-02-02 08:03:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef5e0b667b13bc73d1458953ca9050bb (1 x RedLineStealer)
ssdeep	12288:kpPlPrDOuCaLX3cHDoAV+WvDpwSDuuPK2med:kFCq3iDoeZvDSYK2B
Threatray	4'400 similar samples on MalwareBazaar
TLSH	T14B94CF10BA90C035F5B712F849BA936DB52E7EA19B2460CF63D92AEE56346E0DC31317
File icon (PE):
dhash icon	25ec1378399b9b91 (23 x RedLineStealer, 13 x Smoke Loader, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

61F941B7DA970-App-win-i86_64.zip

Verdict:

Malicious activity

Analysis date:

2022-02-02 00:01:32 UTC

Tags:

evasion trojan rat redline loader stealer opendir miner tofsee

Link:

https://app.any.run/tasks/1ccfbd38-3492-4645-87e8-af14bb7f230b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/229853/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.31716.17182.738.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5756/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed

Link:

https://www.filescan.io/uploads/61fa3af56d25ac9e79fad005/reports/b4bb1296-8895-4446-849f-989a1e0991d6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d8e97e8e-3bde-41af-a19f-7a6bd99ae1b1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933013

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-02-02 03:21:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 43 (76.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h4lmcj63lumjni67vppw3722cybhczovucmb4k6tf6kvnw46dhxa._file

Verdict:

malicious

RedLineStealer

51dab2aed9a33526c883c60b970d756e7fe8215630861d61c839d4a491a91120

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

8d1a7c4598d2da684743fe986b7ce6486edbd09292f2741d37f3972248d5698a

RedLineStealer

987651f9f7dbdae2eb283db2328f4daf4970bd487bbaf5e3892cb980305a24f5

RedLineStealer

be336ff807ecd120dca270ee1fae0b2284d2d112d6f1ed9baa875824146befa8

RedLineStealer

da551b8982f8cb67c55108b405be9ca5e5deb1f2f716adc85d0260d37e74373a

RedLineStealer

+ 4'390 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix02.02 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220202-jxrbrahdhr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

de91807d566fc27931107afa60078cb072acb9c511aa5120f3f66a0041b5af8c

MD5 hash:

32bc1ff30592687f3927d2cfcc057d71

SHA1 hash:

a5d0f64d27ab1aaa46a3feeb7fd3fb8fdbc7ca35

Link:

https://www.unpac.me/results/83f7aa0e-2a3e-422c-bb63-2db2a4e5a347/

SH256 hash:

39fbfb9842d08e75dceb128e197d76afcf526d4edbf95514e1e275c545a974a1

MD5 hash:

99271eb3513d381f1e1160526261f25c

SHA1 hash:

9e1644241751b3499fac44146ea959a9087366bb

Link:

https://www.unpac.me/results/83f7aa0e-2a3e-422c-bb63-2db2a4e5a347/

SH256 hash:

e5c845c6f5b2676a7fd18f077a752d5c36cf16a70861a9a36f6252077f1a7dbe

MD5 hash:

461ee5a721f8d238fa7d51cec53ca758

SHA1 hash:

13cd3aef03a2b61249e16b1d87be6bc28f7d5b69

Link:

https://www.unpac.me/results/83f7aa0e-2a3e-422c-bb63-2db2a4e5a347/

SH256 hash:

3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee

MD5 hash:

086b9ca196e8b8b293af830f7eb44eb7

SHA1 hash:

739d3bcb9e3f7fb685c191009ade96475d4778c5

Link:

https://www.unpac.me/results/83f7aa0e-2a3e-422c-bb63-2db2a4e5a347/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3f16c127db5d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1933499/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/229853/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample