MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5312f25b2ddb5ca623a0b4aa73a43af58c217646afacf4dbd2995dacafa80c77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 6 File information Comments

SHA256 hash:	5312f25b2ddb5ca623a0b4aa73a43af58c217646afacf4dbd2995dacafa80c77
SHA3-384 hash:	957502689b29089143a63cb060142736005a79b023bd2ad06acad02fc363449a3caf7e6f59ed25f460f56623befc7df5
SHA1 hash:	bcf7675f164f85d85092cd2c9fe2085aebbcbe7d
MD5 hash:	89562d324385eb107254b8af6379426b
humanhash:	two-maryland-pluto-single
File name:	89562D324385EB107254B8AF6379426B.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	89'088 bytes
First seen:	2021-05-05 11:15:47 UTC
Last seen:	2021-05-05 12:21:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	1536:CZzQ4i8fr2GlGxAJmv2Mos+umb3A6spofRkGyJpd4isxM1gEiTh:34bSkKpy1tfRlyjd4K1zi9
Threatray	311 similar samples on MalwareBazaar
TLSH	87933D25635C4B14F7BDCBB574B0017647F2D0CF6012EB6E8FC5A4DE6E267832A445A2
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.188.118.35:19651

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
5.188.118.35:19651	https://threatfox.abuse.ch/ioc/29318/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/150518/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.19276.14971.242.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/900b268f-a547-4237-bccb-11c31c2a1ff4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/711847

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5312f25b2ddb5ca623a0b4aa73a43af58c217646afacf4dbd2995dacafa80c77/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2021-05-03 01:35:18 UTC

AV detection:

27 of 47 (57.45%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmjpewzn3nokmi5awsvhhjb26wgcc5sgv6wpjw6stfo2zl5ibr3q._file

Verdict:

malicious

RedLineStealer

3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5

RedLineStealer

586871a8aa5c08be02631a432daa373d9e40fdd0dd53b80f0210f53b41dbbfb3

RedLineStealer

7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191

RedLineStealer

7f991d43aa3e97b19b8e9f50e538b3906f43ee091fb6bb99c5256670b47edd33

RedLineStealer

8c2bcfb8657193f893a95fac8d90cabad1b35ed4ed2402dc717523ef255b9e2e

RedLineStealer

b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5

RedLineStealer

c89928a29ebf0c8c2acd7d9a457236e15d1a604d5c892ec5d750d94e68e4c108

RedLineStealer

dd4a98c54832ec6b61160f7c214af65f476cc75659fc3ea0add868373022031e

RedLineStealer

fe28808f8b07b484ff987a1ccc2f187857139e84d58dfbbb8004ce29f21bf1ea

RedLineStealer

+ 301 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:forum discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210505-g89qxcaven/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

5.188.118.35:19651

Unpacked files

SH256 hash:

5312f25b2ddb5ca623a0b4aa73a43af58c217646afacf4dbd2995dacafa80c77

MD5 hash:

89562d324385eb107254b8af6379426b

SHA1 hash:

bcf7675f164f85d85092cd2c9fe2085aebbcbe7d

Link:

https://www.unpac.me/results/9adbc2dc-0bb9-46d7-9383-93049d7fc931/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	pe_imphash Create hunting rule

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150518/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample