MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363
SHA3-384 hash: 42ad21c85c303a4962aa505141df3f35b4b9261dc0480008c1f315a607e0feda58b2be33a62795a0e940274ebd988e28
SHA1 hash: 7b1dfdebfd83504c31167d6a96e1874ecbb0f261
MD5 hash: b22e5cba159668c1215ee232ad7a1ce2
humanhash: iowa-music-diet-muppet
File name:SecuriteInfo.com.Variant.Fragtor.43959.21953.9488
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:295'936 bytes
First seen:2021-11-24 04:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2592ff0cb9d4716be385a37eb0faa8d (2 x RedLineStealer, 1 x Loki)
ssdeep 3072:UPrDzpka4RM/5Ti+6JM55253Zn5TBQls1n8fYjDH8KCdUU+OVp5JhpERfas2AqBq:8rDzpka4h+c5RIO1NCP+OH5JvEUGoq
Threatray 3'771 similar samples on MalwareBazaar
TLSH T15054F1D072615871DAA3AA30F870CE555A3F78E3A9B1840B37A8125D6FF0AD09A73357
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Fragtor.43959.21953.9488
Verdict:
Malicious activity
Analysis date:
2021-11-24 04:36:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/d868d5e1-c411-46c2-8d3e-168340e042a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Fragtor.43959.21953.9488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/619dc137f36138de3f38d544/reports/d1c4e007-cf09-4849-a45e-681fd9bf3119/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc532ade-92a9-46b7-aa35-79405fa7ea5e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895157
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 02:57:30 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmvigqvrx5kykn3fmejcqyqn6alhtus67vkjl3dbq566wtwlanrq._file
Verdict:
malicious
Similar samples:
33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160
RedLineStealer
3ea19538971898322afce6110691bd03b0c18d97e044cc99264ebca714fc876e
RedLineStealer
8f89e87031d8f92f9c4dddd69d8b554378c73690fd01af96c22dd0065d2d90cd
RedLineStealer
a55d60e2368ff8831b9c2c5c3701b38b752cdce50ea2c498b0811e2a96cbba7d
RedLineStealer
ec75d2e78898eef0f85ec90d16989cf9c1fb5f1e0f7b45cddad67192846aa8da
RedLineStealer
+ 3'761 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211124-e79hvsfbc4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:26828
Unpacked files
SH256 hash:
b234454c51db11d58735da36cf638d075a9c9798776935418fc39e36849f8f14
MD5 hash:
31855c348a43090d89ff62fa19b1224d
SHA1 hash:
fc248f68da407a6be9719d7b8041e5c8029e160c
Link:
https://www.unpac.me/results/dbf97df0-85c9-43cb-bff5-08c4fcc051e7/
SH256 hash:
f376dba3133daecb23b65247d748bdea6f5b0ad6eb64abaaf50d4f67be8b74c7
MD5 hash:
0c858c311ca6e8a905aa810b0032bc1e
SHA1 hash:
97a7d37cced11b841489e2fcb638224dbf51aa3a
Link:
https://www.unpac.me/results/dbf97df0-85c9-43cb-bff5-08c4fcc051e7/
SH256 hash:
c319ae8878e4ec07e16607a2a74cada5ad8e38d8b39c7a9d8a94ced92a4e4068
MD5 hash:
008652ed815a4d28b38d2bbee5ab7faa
SHA1 hash:
757257cc54b39401e9d937181079a125a8051346
Link:
https://www.unpac.me/results/dbf97df0-85c9-43cb-bff5-08c4fcc051e7/
SH256 hash:
532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363
MD5 hash:
b22e5cba159668c1215ee232ad7a1ce2
SHA1 hash:
7b1dfdebfd83504c31167d6a96e1874ecbb0f261
Link:
https://www.unpac.me/results/dbf97df0-85c9-43cb-bff5-08c4fcc051e7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/532a8342b1bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 532a8342b1bf55853765611228620df01679d25efd5495ec61877deb4ecb0363

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1811085/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208859/

Comments