MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42a39eb0eff9dccc54ca3d2d555709ec5a7979e8e3f0dbfd3afd2d472fdb814c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 1 File information Comments 1

SHA256 hash:	42a39eb0eff9dccc54ca3d2d555709ec5a7979e8e3f0dbfd3afd2d472fdb814c
SHA3-384 hash:	f13713425bf7e7e845991698de4addf3bb2ff8e3bb624941ed3e80ebdf1f04a0222cd220ec082411f6c32120e60007b1
SHA1 hash:	212eaf910f399e6c7686d7c264a2dd8395a11a5c
MD5 hash:	31694520ace6ebf270337421668c843a
humanhash:	sixteen-jersey-may-mountain
File name:	31694520ace6ebf270337421668c843a
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	385'024 bytes
First seen:	2022-05-16 11:37:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d4caf119a59974e14265e37638578a58 (1 x RemcosRAT, 1 x RedLineStealer)
ssdeep	6144:8MNgEZvK3lBCE2KG9fF080nHXwE6R7ur9sUbX9YOv:8MN7ZvKuN1F0XHAerqkSOv
Threatray	4'902 similar samples on MalwareBazaar
TLSH	T17784F112B750D830E0B712304874EBE55F3F7962267488CF2B643B2A1F786E196FA356
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.20.47.241:23253	https://threatfox.abuse.ch/ioc/571412/

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

31694520ace6ebf270337421668c843a

Verdict:

Malicious activity

Analysis date:

2022-05-16 11:53:16 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e30284f6-675b-4f44-a60e-32b6834341b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/271065/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17999/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mokes packed tofsee

Link:

https://www.filescan.io/uploads/6282377122b733139c207413/reports/5addb3ef-3060-460b-a24b-664a4fbed481/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c02767a4-111f-49a9-9aee-08c015023ff7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/994857

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42a39eb0eff9dccc54ca3d2d555709ec5a7979e8e3f0dbfd3afd2d472fdb814c/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-05-13 17:26:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ikrz5mhp7homyvgkhuwvkvyj5rnhs6pi4pynx7j27uwuol63qfga._file

Verdict:

malicious

RedLineStealer

884bec8d35a2a1f84dbb50d62b9a1e0abdd0ef8f3b09521508fae751e04e2db1

RedLineStealer

967e98b250c72d4222068a1dcef714211a3c3bf5562c5befd98b43e443f107eb

RedLineStealer

ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48

RedLineStealer

d0dfea9c873b70d7bfada6a3590a83e70fde63d6a04d24de514a70c1a6e3d4c3

RedLineStealer

+ 4'892 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220516-nrpyyshhf2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

178.20.47.241:23253

Unpacked files

SH256 hash:

9113cc58084877afc589299c1d935dd7ecda09d8c72f9d4281e84a545a52e04b

MD5 hash:

796dc5b2d52c5abf81d59d912ddc45af

SHA1 hash:

cfa74f56c02d8995995694f7b7831d6ac59b5efb

Link:

https://www.unpac.me/results/7fcc9135-851b-425f-ae72-5d9e7aee864e/

SH256 hash:

55e4f860b9962fa42135a5ae5e790c17ed0dcf04375163e2278eefa973161a9c

MD5 hash:

bf7f8fc77c824b4e1eae30c82beb8359

SHA1 hash:

38ceac84ecb769c07149985611dcb8d0b835d27d

Link:

https://www.unpac.me/results/7fcc9135-851b-425f-ae72-5d9e7aee864e/

SH256 hash:

a41a3e96ce4800e13543a4d980a96753c4e46383cb6521d072f734ea74b5d0c3

MD5 hash:

6969006e12ea07ac224795dc33c50a74

SHA1 hash:

18eb31308d17020f424c37341ae5b4d7784fe232

Link:

https://www.unpac.me/results/7fcc9135-851b-425f-ae72-5d9e7aee864e/

SH256 hash:

42a39eb0eff9dccc54ca3d2d555709ec5a7979e8e3f0dbfd3afd2d472fdb814c

MD5 hash:

31694520ace6ebf270337421668c843a

SHA1 hash:

212eaf910f399e6c7686d7c264a2dd8395a11a5c

Link:

https://www.unpac.me/results/7fcc9135-851b-425f-ae72-5d9e7aee864e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/42a39eb0eff9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42a39eb0eff9dccc54ca3d2d555709ec5a7979e8e3f0dbfd3afd2d472fdb814c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.