MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5595a79bf6de38997bd5bf1fae335e96c99b829855fef781c76d38a2fdcc7f1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5595a79bf6de38997bd5bf1fae335e96c99b829855fef781c76d38a2fdcc7f1f
SHA3-384 hash: be0d379e68ba5edf4174038502a37a8a32c0f73598754aafb10ddf81c1214f2beffded273630f7f5c322d8bb82ed8851
SHA1 hash: 2512cf69a163816f4db1ee064ec4fad9dd326706
MD5 hash: a2ab03703280dac5e45b67ac62235135
humanhash: lake-hawaii-muppet-idaho
File name:5595a79bf6de38997bd5bf1fae335e96c99b829855fef.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:455'168 bytes
First seen:2021-11-30 06:25:28 UTC
Last seen:2021-11-30 07:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55ae6049290b1a231db6697392c2b841 (2 x RedLineStealer, 2 x RaccoonStealer, 1 x CryptBot)
ssdeep 6144:hrjLiO05zTSRRHwgpntcHZgbdQFVN9mIpIT2Eo5ZOeLuDId:hrjLiqNZ9iZg5QFVN4IpITBo5xLu
Threatray 3'432 similar samples on MalwareBazaar
TLSH T15AA4BF00F7A0C035F5B716B85979E3A8B93E7DE16B2890CB62D426EE56756E1EC30307
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.238.8.207:11703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.238.8.207:11703 https://threatfox.abuse.ch/ioc/256290/

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5595a79bf6de38997bd5bf1fae335e96c99b829855fef.exe
Verdict:
Malicious activity
Analysis date:
2021-11-30 06:44:20 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/554e1ee0-ffa2-4b2b-9fc1-8e1f3b191e71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/209783/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.7452.20811.10970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/246/overview
Behaviour
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a5c3ffc4c531414822eb09/reports/cc4f531b-5692-4c69-b8ec-abfe3387467a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1de1c356-2e7e-4c36-80e8-91b6d0a50274
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898536
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5595a79bf6de38997bd5bf1fae335e96c99b829855fef781c76d38a2fdcc7f1f/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 07:46:30 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwk2pg7w3y4js66vx4p24m26s3ezxauykx7ppaohnu4kf7omp4pq._file
Verdict:
malicious
Similar samples:
2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02
RedLineStealer
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9
RedLineStealer
6f4d0be0c5e4824c213ca020779cee9279d0ed576c2a13d058ecfd992ade3d9e
RedLineStealer
d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
RedLineStealer
f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8
RedLineStealer
+ 3'422 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:easy cash discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211130-g67nzshbb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.238.8.207:11703
Unpacked files
SH256 hash:
1fe112bedb15855b6bcf9094b40daa16689f6f9f73ccdf5b03e68df737e615c4
MD5 hash:
133c3c0d30bf1669a11e636275b9fb51
SHA1 hash:
c1e86e6b288e4c8512a21a85958f3eb88d450b25
Link:
https://www.unpac.me/results/125ed718-80d1-4943-92e2-4dc00909e3bc/
SH256 hash:
11cf9cc7946718dee1591540aa10d9c0c77ae2d534008b39a242cb63f15fd998
MD5 hash:
43a8eeece72615c7a6c92463f7f91ed9
SHA1 hash:
bf0d9b05d78981c9422cbd1bdb391a8449648a65
Link:
https://www.unpac.me/results/125ed718-80d1-4943-92e2-4dc00909e3bc/
SH256 hash:
306306ca05c3141803c3cf3804c990aac003dcd697ceed638db24411ac530f12
MD5 hash:
90ce0a781fbb787651ae90fe16113cef
SHA1 hash:
b4980f8c3bf1b82fc77d448908ec13ef9e731884
Link:
https://www.unpac.me/results/125ed718-80d1-4943-92e2-4dc00909e3bc/
SH256 hash:
5595a79bf6de38997bd5bf1fae335e96c99b829855fef781c76d38a2fdcc7f1f
MD5 hash:
a2ab03703280dac5e45b67ac62235135
SHA1 hash:
2512cf69a163816f4db1ee064ec4fad9dd326706
Link:
https://www.unpac.me/results/125ed718-80d1-4943-92e2-4dc00909e3bc/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5595a79bf6de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5595a79bf6de38997bd5bf1fae335e96c99b829855fef781c76d38a2fdcc7f1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209783/

Comments