MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 551efcf650e722506a6aa3a33a456a4b4daab92985e909bc6842a071ca736901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	551efcf650e722506a6aa3a33a456a4b4daab92985e909bc6842a071ca736901
SHA3-384 hash:	9a304baa76b4af30012e60caa250e51b95fb0953e6d61ac5f91fb9093fd4a06d2aec18c82de476550e986ba8380b9717
SHA1 hash:	6464d4a7d01c45a178b5fe8602d34d6516073004
MD5 hash:	5300b287f0effc69d01d252e01d448ba
humanhash:	mars-hot-pennsylvania-colorado
File name:	5300b287f0effc69d01d252e01d448ba.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	347'648 bytes
First seen:	2021-11-07 08:12:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9e3ac2424cecff905bdab3e7336b91cb (2 x RedLineStealer, 1 x RaccoonStealer, 1 x SystemBC)
ssdeep	6144:1M9GWodnuqTTIE0ArVf/MYJwK2fPLduzbgwu7igaWkEx69:u9GWoduqXL0ArVfka6jdunnj4
TLSH	T17C74D03176ECC832D5B30E30887497A4597BB8526970918AE764FB2B1D71F8C56F132E
File icon (PE):
dhash icon	a1bcdcac9c8cb484 (8 x RaccoonStealer, 5 x RedLineStealer, 4 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_x86_x64_install.exe

Verdict:

Malicious activity

Analysis date:

2021-11-06 18:36:00 UTC

Tags:

trojan rat redline loader evasion stealer vidar opendir

Link:

https://app.any.run/tasks/90d3f7a0-255e-47ed-8c4f-51664dff6bfa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/202984/

Detection(s):

Win.Trojan.Generic-9906289-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed redline

Link:

https://www.filescan.io/uploads/61878a90d8143ea269cdadfb/reports/44da03da-6e16-42eb-ba10-a073d24edd5c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fb39116-2b61-4240-9084-782e21600b7a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/884738

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/551efcf650e722506a6aa3a33a456a4b4daab92985e909bc6842a071ca736901/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-11-06 18:07:31 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kuppz5sq44rfa2tkuorturlkjng2vojjqxuqtpdiikqhdsttneaq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udptest discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211107-j4exashge2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab

MD5 hash:

c1108718dcfb2b7a752e2c4c1e27659d

SHA1 hash:

59c7c4ca474af49a7fc77e58da554f02f9d68191

Link:

https://www.unpac.me/results/428da4c9-a8f0-4c33-8381-14839a2a36fe/

SH256 hash:

b602a2710845fe08f9c0b53c053ddc834e25b3e4cd36e6162ffed3a028346044

MD5 hash:

b4bfd945fe4a51c1a6f4aafa964aea7d

SHA1 hash:

5207263194c4902eb2dee4c2659a1af725057699

Link:

https://www.unpac.me/results/428da4c9-a8f0-4c33-8381-14839a2a36fe/

SH256 hash:

a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c

MD5 hash:

988bab2529a6b385e407ba8ef050dc51

SHA1 hash:

3851cb15de623f44d62581e970ab183d8ed4769c

Link:

https://www.unpac.me/results/428da4c9-a8f0-4c33-8381-14839a2a36fe/

SH256 hash:

551efcf650e722506a6aa3a33a456a4b4daab92985e909bc6842a071ca736901

MD5 hash:

5300b287f0effc69d01d252e01d448ba

SHA1 hash:

6464d4a7d01c45a178b5fe8602d34d6516073004

Link:

https://www.unpac.me/results/428da4c9-a8f0-4c33-8381-14839a2a36fe/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/551efcf650e7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/551efcf650e722506a6aa3a33a456a4b4daab92985e909bc6842a071ca736901

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.