MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5
SHA3-384 hash:	fe3d5940ca293382950fdae4f4fec0f65c77cf5f086803456580d50a2ad6ac8779d8d457425b958d7615a20a5bba931b
SHA1 hash:	de1c4b82a83455e0ae0358a4c97007637e018d86
MD5 hash:	f3c5e517c4775a18a0aa8385b1578578
humanhash:	ceiling-steak-ten-red
File name:	f3c5e517c4775a18a0aa8385b1578578.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	655'360 bytes
First seen:	2022-02-07 14:54:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	059e939bc149cd78a08e6bfa706a4e4a (2 x RedLineStealer, 1 x ArkeiStealer, 1 x Loki)
ssdeep	12288:9bmCoUx2xKHqVZAbRsiTnWt0kNLoTMmsyyY2jYrHF8QMNIDRb6ym73uLrNBBuYFL:XIxKUZgRsOnQBNUT6BY2krHFsNBR7eBL
Threatray	899 similar samples on MalwareBazaar
TLSH	T1E1D4F100BA90C035F1B702F8557AD36DAA2E7AB25B3465CF93D65AEE06386E0DC71317
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/235882/

Detection(s):

Win.Packed.Filerepmalware-9938531-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6261/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/620132cd845a69d77349b600/reports/6b8f335f-6554-4c02-b12a-b2f9a8cbfe4c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3447cd02-6164-41b1-9ad6-a875b3b0ef72

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935258

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-02-07 14:55:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

51dab2aed9a33526c883c60b970d756e7fe8215630861d61c839d4a491a91120

RedLineStealer

652d426c966ce5b82149b86593f0b8224044796ca670c0c80036aea58d343343

RedLineStealer

d3871fdb5a8fe94cd12f6cc9e16c7b18aa7843f3a3058429e3ee92d0f87a977a

RedLineStealer

e3b6a660fbacbea49c7da301f2eadae99a5f1889858fff7e7378c508e286580f

RedLineStealer

ed9ec6594cdb7b034643ec06adcbf86c7124ac81805e0f48f655f389492ee9a5

RedLineStealer

ffbb9cbfc1d209d6a3f4c835ecb844b8ab585a4834511613d34191165a3feb61

RedLineStealer

+ 889 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix07.02 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220207-sahwjaddg8/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

c68f1f5fa511083b3f859a6c37c1dc60bd21635f4393f778a1c283c10386b56a

MD5 hash:

71c0b1739effff7869192445f82e0606

SHA1 hash:

db53802fe16ad7db5b1465f17626d1e737915e73

Link:

https://www.unpac.me/results/5c9df83c-ca61-417d-8375-8a1139bf238c/

SH256 hash:

556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

MD5 hash:

f3c5e517c4775a18a0aa8385b1578578

SHA1 hash:

de1c4b82a83455e0ae0358a4c97007637e018d86

Link:

https://www.unpac.me/results/5c9df83c-ca61-417d-8375-8a1139bf238c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/556274658598/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

(this sample)

Cape

https://www.capesandbox.com/analysis/235882/

URLhaus

https://urlhaus.abuse.ch/url/1942108/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample