MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1
SHA3-384 hash:	449ac35737b5c90d41a7ed198c7633e495e94a6ccaaac30c98bfdf9583ae5c9535adacf18584155da83279014cfc74e0
SHA1 hash:	c70cbecb43788c98ffc5d58fe38aba01fedc5ca0
MD5 hash:	21c09fb0896cd1aec6cb0aefd8dd4d2b
humanhash:	wisconsin-mountain-cola-september
File name:	21c09fb0896cd1aec6cb0aefd8dd4d2b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	395'264 bytes
First seen:	2022-01-22 14:37:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7dcbbe9c7ee048ad6c29be29a72766de (2 x RedLineStealer)
ssdeep	12288:w7i+0aE9ZwKcYlnuQvFhTeNxw2Gkot4HN:6wa/sD9hyy2CKHN
Threatray	4'498 similar samples on MalwareBazaar
TLSH	T1C584F060BA50D436C4465273492DCED1EB7DBC24F8A5864773AE3B2EAE723C049A531F
File icon (PE):
dhash icon	fcfcb4b4b494d9c9 (5 x RedLineStealer, 3 x RaccoonStealer, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

21c09fb0896cd1aec6cb0aefd8dd4d2b.exe

Verdict:

Malicious activity

Analysis date:

2022-01-22 15:01:53 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/41ef1c18-0a0c-400d-a1a9-f7ba48542633

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/221653/

Detection(s):

Win.Malware.Mikey-9917879-0

Win.Packed.Lockbit-9919158-0

Win.Malware.Generic-9936948-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5005/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey mokes redline

Link:

https://www.filescan.io/uploads/61ec16d0f81da814af997c3a/reports/12425844-0353-4217-9191-8ba3b79756e3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f26650a9-4867-4a2b-8d96-ce1ca8b444a6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/925640

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2022-01-22 14:38:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=im3f6zjexuuqp7ubkg4odgfb3ibh5l4nnaxqkngz7bbadvhvkpiq._file

Verdict:

malicious

RedLineStealer

7d8de08a564f08ee20d746a2c445245b75247e772248073431fc30d16a4b9b14

RedLineStealer

a0e3df170ddc6f7fe8298743e0c158175b84c4605650361c51debe34a26a35fa

RedLineStealer

a206d34bbfb7274775956f308ae81339a673c0e894ed55ee1e8e0f01f20ba5fb

RedLineStealer

a2cac07f9147dff643d6a810b9370d8fc2551a692d95b378fcc7b3086c44193e

RedLineStealer

e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137

RedLineStealer

fe3820ae1da9b861638dc2070d08e82b8ee26a35e18823d61591d27bb08cf7f1

RedLineStealer

+ 4'488 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220122-rzp6gabggq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.111:1355

Unpacked files

SH256 hash:

4482c8da1743ba343cbc1ce31d4286e658040e3da37de2b72e4169fd7249e8bf

MD5 hash:

925e4096edb29345423f418baf42d91b

SHA1 hash:

f9669495412c387eeb33575ae1a3f423d8857414

Link:

https://www.unpac.me/results/d9932723-7931-4d2e-b5bc-fd1a4df21451/

SH256 hash:

51cd6a24d9cd54284fcbe572515477e2ceb2c370c03b41f00db072ec2b279c3b

MD5 hash:

bbd385cd69cc12b32c4acd442be19d09

SHA1 hash:

a7dacfc795e53f9a668461dc025e6f4e135bc616

Link:

https://www.unpac.me/results/d9932723-7931-4d2e-b5bc-fd1a4df21451/

SH256 hash:

e96610f881dfb8a82d0dd83c7af00bccecc4cfc7bafd45c68518cbc6ce129366

MD5 hash:

dde047fc59c718d5147b7c01af99de70

SHA1 hash:

1c4a6f29c614d9a55733dc63dec4e22398cc9119

Link:

https://www.unpac.me/results/d9932723-7931-4d2e-b5bc-fd1a4df21451/

SH256 hash:

43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1

MD5 hash:

21c09fb0896cd1aec6cb0aefd8dd4d2b

SHA1 hash:

c70cbecb43788c98ffc5d58fe38aba01fedc5ca0

Link:

https://www.unpac.me/results/d9932723-7931-4d2e-b5bc-fd1a4df21451/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/43365f6524bd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 43365f6524bd2907fe8151b8e198a1da027eaf8d682f0534d9f84201d4f553d1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1849294/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/221653/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample