MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936
SHA3-384 hash: e682856be83d881e3ca725b942d5ef9f43bb877ca1b47fb20954e3678091f67af9dd69553cf875ba273fcd2c50e8fe7a
SHA1 hash: 45f85c9da20af9b961945ef6dcd97b8b32ea5285
MD5 hash: 005e2671cb3b8360426cf9c578a87896
humanhash: delta-ack-nineteen-hawaii
File name:005e2671cb3b8360426cf9c578a87896.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:314'368 bytes
First seen:2021-09-25 10:15:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b423274974f58a1d1a63a5242c6dcf99 (12 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 6144:30iwypdzN/KWzcTjpOtDrVE/VsjNBwjt4:kgd98jpwDu2jNBay
Threatray 2'367 similar samples on MalwareBazaar
TLSH T1AD64DF013EA0DE31C9A345308831E6E4567AF9E1FB64CD4B776AF6EF2E306805626357
File icon (PE):PE icon
dhash icon b27a7c7f727e6e76 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.29:18087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:18087 https://threatfox.abuse.ch/ioc/226441/

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
005e2671cb3b8360426cf9c578a87896.exe
Verdict:
Malicious activity
Analysis date:
2021-09-25 10:18:58 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/2f7d20bc-c095-4d7b-8da2-792e29936371

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191498/
Detection(s):
Win.Packed.Generic-9895572-0
Create hunting rule

Win.Packed.Fragtor-9895678-0
Create hunting rule

Win.Packed.Fragtor-9896090-0
Create hunting rule

Win.Packed.Fragtor-9896091-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/faf30a0e-54d7-44fb-9267-fbdc2695783e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/857937
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 03:06:27 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6rloiz3dx5z4yvrf4fn7snljpqe2wo55jua6ogg3lpt76xste3a._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
32af6eab31697cdb2e7f0518de353bf8001fb61cd4e8cb11e1f9ba3ee163813a
RedLineStealer
32b9b4bce4d318a9df816799b1ab544126244277da5d9d5395f05e926c238cc0
RedLineStealer
4a1eb5d077f5f4134acde43b07cda42bc1f03570bfcdba0289ef2af4212d0bf5
RedLineStealer
b2bbf81e6846b2cb9f72eccbb9e04ad7ade462b048b8cd846db957c38a3c1ff5
RedLineStealer
d997208b59dc3bae89ab68453b58ced90b1fe698d6e7385a6221d1b54698b000
RedLineStealer
dd11a4f5d3e725f42278185fef61b35de16b75c5ea06688579d986b5eda56ce5
RedLineStealer
e56b53500bf0072f709cec8121a19d8d98a42672ff4df8c3079518d68b6c4f3f
RedLineStealer
f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3
RedLineStealer
+ 2'357 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-mat1xabba2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:18087
Unpacked files
SH256 hash:
a62841bbe14945e2cd4066193675aefc61ced1aaff2753924e4ab30a9241e760
MD5 hash:
f246bd57ec25db36919e7e1aa731303f
SHA1 hash:
f4fa44aadc1d6bd4411c14c78150b2ed24f03f3b
Link:
https://www.unpac.me/results/5adfd306-1c98-4481-a97c-5e8f6c8a596d/
SH256 hash:
8804d072134b4f424a7af558ae9eaf17370bf874e2d0919e12e9508a8f25bc04
MD5 hash:
b7e41b714671133b10467addb04eaf04
SHA1 hash:
67250b01da36b1c2b36c6b8599f37d36975cfeca
Link:
https://www.unpac.me/results/5adfd306-1c98-4481-a97c-5e8f6c8a596d/
SH256 hash:
ccf48b09615787253370d1f337c632ad194e899489784fa7d4bb4cd8d67d6d9e
MD5 hash:
6b5c7d46224b4d7c38ec620c817867ad
SHA1 hash:
3747f56ac967b30844b790ed11e6180d83a79565
Link:
https://www.unpac.me/results/5adfd306-1c98-4481-a97c-5e8f6c8a596d/
SH256 hash:
47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936
MD5 hash:
005e2671cb3b8360426cf9c578a87896
SHA1 hash:
45f85c9da20af9b961945ef6dcd97b8b32ea5285
Link:
https://www.unpac.me/results/5adfd306-1c98-4481-a97c-5e8f6c8a596d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/47a2b7233b1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 47a2b7233b1dfb9e62b12f0adfc9ab4be04d59ddea680f38c6dadf3ffaf29936

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638450/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191498/

Comments