MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150
SHA3-384 hash:	2daec02aa15d3369da3cfa705d86d1ccc1677a8526c6fcf63abb2e494c70e8c4fb11db6dfe6c1971f65e3c44bdc1ca76
SHA1 hash:	814e65366d3ac8203356686a8903b0fceb536032
MD5 hash:	4bae0bd941e63df1ffcba8871f948fb0
humanhash:	island-jersey-eighteen-maryland
File name:	SecuriteInfo.com.W32.AIDetect.malware1.31854.18977
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	403'515 bytes
First seen:	2021-12-19 14:19:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	18f86aab7a3779fc3e6eb84d32d1d0ff (2 x RedLineStealer, 1 x CryptBot)
ssdeep	6144:lPi6qmtILCIkpkM6TocNPoK6PoeZWubwJzOPajIJ+ZMabu0xJMan11zA:l6UWLHkp5In8wJkajQ+eVIJMaQ
Threatray	4'321 similar samples on MalwareBazaar
TLSH	T1F584CF10B7A0D034F4B726F44E7AD3A8653F7DE1AB2495CB62D42AEA56346E0EC30357
File icon (PE):
dhash icon	70f0c2cccce06031 (2 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215264/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.31854.18977.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2612/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/61bf3f598991ba72b38cedfd/reports/08c7ec53-70ed-4b79-891e-67e38483f086/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/156da993-e9b1-4499-b127-e8cc1502d860

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/909814

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-19 14:20:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=knnv3dnjo3qydqmgoy4qmotkg5ladxsfdndiel7tptm7dg6iefia._file

Verdict:

malicious

RedLineStealer

3c849266011821a8c1ae2038a9c97d0bc7cd72258256ae1d644e585e6e8658b6

RedLineStealer

7eec09749966b69d9eb49acb8e2d50925b3a4cc26d3051dca1dbe91888ca21ad

RedLineStealer

935f6f03303b13df2b51af0b9e2b9f6ce5cd20cfc4ba431103af128dadd6a576

RedLineStealer

a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932

RedLineStealer

c72d58f2ee5007430aac685459da0714396615aaeda68ff1ae5c8c0f9d9396cb

RedLineStealer

ebca21122d4ab9dbef25f95fa2d44e5e7ce4cc120e4cf788790bdeba5ad51d60

RedLineStealer

f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8

RedLineStealer

+ 4'311 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:asia discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211219-rmt9nahcfj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.240:46257

Unpacked files

SH256 hash:

63c2c4dbf059edbae899f3b2db044b6b1ae4b93720e32790307d2a151802eb50

MD5 hash:

f16488931baabae1850e2de880252c65

SHA1 hash:

cc68cc74a5f95e857f91e2c8d799d71159e21103

Link:

https://www.unpac.me/results/e90a8d1e-c02e-4639-92e3-0bea5930131f/

SH256 hash:

b71929c4cfa50a1601d56e333c4e57f155a3361d49215aefa4a4f7274c042d5a

MD5 hash:

e02f775a549787386329999717518871

SHA1 hash:

7bd4742e1f2cd4e664ae2a17036256ccbd7b793f

Link:

https://www.unpac.me/results/e90a8d1e-c02e-4639-92e3-0bea5930131f/

SH256 hash:

46cb3fe8c9187fbedab8dfeb8fde4178ce7f6f93fc999ca869dd970d176f4bf4

MD5 hash:

6fdd0d4302e6fa4838ebb561487ef13c

SHA1 hash:

27e33a3947c26a7250b6bca3f5ad9c85e31c40f5

Link:

https://www.unpac.me/results/e90a8d1e-c02e-4639-92e3-0bea5930131f/

SH256 hash:

535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150

MD5 hash:

4bae0bd941e63df1ffcba8871f948fb0

SHA1 hash:

814e65366d3ac8203356686a8903b0fceb536032

Link:

https://www.unpac.me/results/e90a8d1e-c02e-4639-92e3-0bea5930131f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215264/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample