MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512
SHA3-384 hash: 4fe84f1e71aedea4d5968561e7fe9d2f7de9800db2d7c77d1c65900c9e0add78663b6ac3d0f3c87f5c2c7a33210b8717
SHA1 hash: b141a1aa941781564eed45370c3d900f7957735b
MD5 hash: 042a6066d9d10bbbf7de5503eb76157c
humanhash: saturn-summer-oxygen-winter
File name:042a6066d9d10bbbf7de5503eb76157c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:427'520 bytes
First seen:2021-10-18 05:27:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd3694527adf0e2f58ae8cb4e18ad5ae (4 x RaccoonStealer, 3 x RedLineStealer, 1 x CryptBot)
ssdeep 6144:X9fvDYyH509RoL0p+y+xJGOALwFdkJm6Fi3rQUyES99F:X9nDYC080p+TxJGH0dkJm6FiUUtS9
Threatray 444 similar samples on MalwareBazaar
TLSH T19B949D00A650C139F5F652F98DBA92B8A52E7FE16B2450CB53D51AEE97357E0EC3030B
File icon (PE):PE icon
dhash icon 5412b0f068696c46 (1 x RedLineStealer, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198024/
Detection(s):
Win.Trojan.Generic-9903173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616d07aadb358dd15ebe4c42/reports/e29a79d4-e558-4e05-b1d6-a3bdfd6ce90b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba2c4320-170c-4dd0-b300-1d16bdfbfbd5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871973
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512/
Threat name:
Win32.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 00:50:00 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=io7thh4niqfvfinihbjch734cvtusuwaeazfywbzzgnifepjouja._file
Verdict:
malicious
Similar samples:
0aebf2c39b154018f617d939b6da4335b7e69fa281d367568b1c0177fa74da47
RedLineStealer
1bbc078db5d1d7f8003ac55c86d5e925d50cd79ce2b4e1b95cda63b5242f000e
RedLineStealer
93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23
RedLineStealer
9fd9a7f1fcd183cb0ae2219de02104e103fd135d25b0ed1b7283ecd3f99f856d
RedLineStealer
b6b72f50b91400fb15dc5d97f0daec13e4e9312d1f4955a09570008b6c1f24f0
RedLineStealer
d0dda5dfd52eedeb0c31cc69428a488f7af8f66e6c3a736ff88c6ea1c8ebed35
RedLineStealer
f2ae124bb124c6428d2c2d4c1211b7770a8a171f1500c04d3bd59a38f91f4b65
RedLineStealer
f934020452d58f327c22060903f625f8b9b39429afad32dc05faf58f4e3f32f9
RedLineStealer
+ 434 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pub discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211018-f5195sdba5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.182:52236
Unpacked files
SH256 hash:
e5dff28a4f4dd964370af9e5036226b0340420666832a879cb1b7f2a0de3c113
MD5 hash:
daf1a5a3d70887ebf100a7e4387f2b7f
SHA1 hash:
9e83d874a2af0a6c28e16ecdc449ee6fb674e835
Link:
https://www.unpac.me/results/3942ebda-be29-44e0-a870-dae8b8392330/
SH256 hash:
f836d8dbfc3bb2e14ba2b9eb8e612d57c69304ecc8af47603589be2647d1e7f4
MD5 hash:
9b436ffb731fba45a145c9549657644a
SHA1 hash:
54382054428eca4a16d831af2bcaf79172bc2807
Link:
https://www.unpac.me/results/3942ebda-be29-44e0-a870-dae8b8392330/
SH256 hash:
b1d6c8d2b9498001f50dab84090b9caf31f864871cfc995ffea41c22d2da9d28
MD5 hash:
daf87bc99f66d35cd6ee1cf6385d7748
SHA1 hash:
012c5c5c2a17a69f7b61848050c0329f5405614a
Link:
https://www.unpac.me/results/3942ebda-be29-44e0-a870-dae8b8392330/
SH256 hash:
43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512
MD5 hash:
042a6066d9d10bbbf7de5503eb76157c
SHA1 hash:
b141a1aa941781564eed45370c3d900f7957735b
Link:
https://www.unpac.me/results/3942ebda-be29-44e0-a870-dae8b8392330/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/43bf339f8d44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 43bf339f8d440b52a1a8385223ff7c15674952c020325c5839c99a8291e97512

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1610920/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198024/

Comments