MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 1 File information Comments

SHA256 hash:	40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c
SHA3-384 hash:	2d701bd2dc07d14511c1d2b749dd513c8282d66fabd02dea788ad39247c0398f0afaf8d938d9a65cde0057c25fc8ff4d
SHA1 hash:	31b0e5b6831f93198fc8be91dd83a0e151eff35f
MD5 hash:	caaa2a717cddb288c86b7e9af6652c9f
humanhash:	arizona-uranus-seventeen-one
File name:	caaa2a717cddb288c86b7e9af6652c9f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	351'744 bytes
First seen:	2022-06-07 11:10:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0f8197d782997108db56ec1726ffac1c (2 x RedLineStealer, 1 x Amadey, 1 x Smoke Loader)
ssdeep	6144:wT6c459Ztdf+4oJxn88L7vtDhXKHU9stj0Aev:wTandfoJxtttKHU9VAev
TLSH	T11474014572A5D873E1F359304830CE727A7ABC71A6786C4B3B40266CAE727C1BA607D7
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
88.198.178.66:31014

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
88.198.178.66:31014	https://threatfox.abuse.ch/ioc/662601/

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

caaa2a717cddb288c86b7e9af6652c9f.exe

Verdict:

Malicious activity

Analysis date:

2022-06-07 11:33:54 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/2aa83a64-97c5-47fa-86c0-77e7d8bcd4b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277341/

Detection(s):

Win.Packed.Jaik-9950918-0

Win.Packed.Jaik-9950927-0

Win.Packed.Tofsee-9951336-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed

Link:

https://www.filescan.io/uploads/629f32845dc88d3571682bd9/reports/5c4a0a96-8da0-45c7-9f2d-00a91a1f789b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e6087412-1545-40f6-ace9-fa2dd3adc1f3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1008403

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-05-29 13:39:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=idsda5wgfjsgeydmsmmhphn5hbp3zcf7tzv7wgm53ow66efnaeoa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1058 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220607-m99kmsdge9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

88.198.178.66:31014

Unpacked files

SH256 hash:

4745cf4156db586f27509979a165c3b5afe42273cb3947f9b63b5084ccb22ea7

MD5 hash:

51f1c90fe40cdbcb3d8f9409310a499d

SHA1 hash:

92ba9d1c46b7ab05a00e43a81d591594a6ebdfe8

Link:

https://www.unpac.me/results/35f80e8e-b535-4c06-8bac-60c1a21aff08/

SH256 hash:

d897b42d97ca5650ec446f63c2804a745af31082e839298d8755581af4a8765d

MD5 hash:

8aef3cb3b2cb86f339e11fce7d8e7366

SHA1 hash:

52e2f1b2d596ae971679b26dd0727cd69b65c9f3

Link:

https://www.unpac.me/results/35f80e8e-b535-4c06-8bac-60c1a21aff08/

SH256 hash:

ec92855a526e8884c741c3ad051f1236187e062d4fda6bf64eb96bc1bfe0b3e8

MD5 hash:

87e5941413e99c1d945e462cfa924b56

SHA1 hash:

0bfbc93ef9441d6edfbc5f9e0f18c8fb3f496111

Link:

https://www.unpac.me/results/35f80e8e-b535-4c06-8bac-60c1a21aff08/

SH256 hash:

40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c

MD5 hash:

caaa2a717cddb288c86b7e9af6652c9f

SHA1 hash:

31b0e5b6831f93198fc8be91dd83a0e151eff35f

Link:

https://www.unpac.me/results/35f80e8e-b535-4c06-8bac-60c1a21aff08/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/40e43076c62a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/277341/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample