MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a0f52dab31cc96ebe813dfce03401b5813d10153ffd805ba61b06cb169eee6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	4a0f52dab31cc96ebe813dfce03401b5813d10153ffd805ba61b06cb169eee6a
SHA3-384 hash:	5ef6fc68bce515ebc5c97f338f10f82172ac8613f7a965f0fb32d1889d1ee6f3505b51193d28713addcd39d3230eed5b
SHA1 hash:	98c127b90ec70fbd2467726cb6e6a406c5df92bd
MD5 hash:	a4783e75fb1f0f168eb935b34957876a
humanhash:	sierra-north-nuts-london
File name:	a4783e75fb1f0f168eb935b34957876a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	841'728 bytes
First seen:	2021-10-23 11:41:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	411e563f9ec398fe36c815278ae7fd2f (2 x RedLineStealer)
ssdeep	12288:tbwSHzgyHOo4qvzphUrgZumKE9U532pgzt5Nj5ajx56ruk5LZMYLNMcukyRX:9p3HzL13C5GudU+dvr6N
TLSH	T1DA052BC6E173608EDFA278780B0195E24A421E7E1B119EF45F75BA6B15F36D08ADB303
File icon (PE):
dhash icon	ccb2b2f0b0b2ccd4 (9 x RedLineStealer, 1 x RaccoonStealer, 1 x AilurophileStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.119.113.189:21746

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.119.113.189:21746	https://threatfox.abuse.ch/ioc/236787/

Intelligence

File Origin

# of uploads :

# of downloads :

634

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/199572/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.4303.10324.12084.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm packed

Link:

https://www.filescan.io/uploads/6174f672db358dd15ed91081/reports/2be16dc4-f8ea-48ce-9b35-32f81e350c80/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1af44d8d-a92b-4ce4-8a25-d20f0dab7772

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/875659

Signature

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a0f52dab31cc96ebe813dfce03401b5813d10153ffd805ba61b06cb169eee6a/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-21 17:21:55 UTC

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jihvfwvtdtew5pubhx6oanabwwat2eavh76yaw5gdmdmwfu65zva._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@noilase discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211023-ntz7psccg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

92.119.113.189:21746

Unpacked files

SH256 hash:

6c0e24bd69345e0d8a8b11c980571f008479005c8ad1e5039ef93f3c518d68a4

MD5 hash:

87cfefd3bac003dc9aa857876600e1e5

SHA1 hash:

d5a9ac446e2f538443c077e1987feb7c26a69da1

Link:

https://www.unpac.me/results/21a5904a-c8a5-4585-9dee-37833e976cd0/

SH256 hash:

7a28d641bfb4f816a7802c98086964eff30c44d078eae144cb867bacddfc4ae0

MD5 hash:

c8e47698753746bd7da374b7f120b6bf

SHA1 hash:

bd8f58029f00d70f94143631121f8f3236136090

Link:

https://www.unpac.me/results/21a5904a-c8a5-4585-9dee-37833e976cd0/

SH256 hash:

4a0f52dab31cc96ebe813dfce03401b5813d10153ffd805ba61b06cb169eee6a

MD5 hash:

a4783e75fb1f0f168eb935b34957876a

SHA1 hash:

98c127b90ec70fbd2467726cb6e6a406c5df92bd

Link:

https://www.unpac.me/results/21a5904a-c8a5-4585-9dee-37833e976cd0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4a0f52dab31c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a0f52dab31cc96ebe813dfce03401b5813d10153ffd805ba61b06cb169eee6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199572/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample