MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 559b4924c088d5f9ff55603401f8b4ac68d9f6022367897568a1581b6025583c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	559b4924c088d5f9ff55603401f8b4ac68d9f6022367897568a1581b6025583c
SHA3-384 hash:	ce479dc25aa079f104b07d808d57cebdd991f892b6c9bf4e4024b23dacc8bcb99250bf69ae576b0c0dd9bfa2fb4a11d4
SHA1 hash:	42b1a85c54893ac67b6a96a466a9efba392378bd
MD5 hash:	00c57499c021312be6fe817f1a03905c
humanhash:	sink-carbon-yellow-papa
File name:	00c57499c021312be6fe817f1a03905c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'619'768 bytes
First seen:	2022-04-09 06:51:30 UTC
Last seen:	2022-04-09 07:41:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	92abf5ad90fc2838b3b0b9a065cff363 (14 x RedLineStealer, 1 x CoinMiner.XMRig, 1 x Formbook)
ssdeep	98304:YKskO0egKVE2eRwssjccRoKgi0VjNbEvowmDmDL4Yxiu7:Y8agKV5ewsSRVmlwoqxxd
Threatray	5'481 similar samples on MalwareBazaar
TLSH	T14E26237B03660275D1ECD82DCB37BEF071F60237868DA4B8F1E567C612A18A6D263D52
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

00c57499c021312be6fe817f1a03905c.exe

Verdict:

Malicious activity

Analysis date:

2022-04-09 06:55:29 UTC

Tags:

redline

Link:

https://app.any.run/tasks/e512eb44-6a13-4776-a106-442ddbc4e97f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/262258/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.74645.26399.20431.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13250/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62512d1404b81dabe2637b09/reports/98472496-a67d-4a34-bf95-aa1960922804/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/600c0b4e-1823-4378-913d-77cfb35edf3b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/973677

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/559b4924c088d5f9ff55603401f8b4ac68d9f6022367897568a1581b6025583c/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-04-08 06:29:29 UTC

File Type:

PE (Exe)

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kwnusjgardk7t72vma2ad6fuvrunt5qcentys5liufmbwybfla6a._file

Verdict:

malicious

RedLineStealer

381517605def58f63a5aabe969f824b399e16c952042d3d549bf4a276d433eb5

RedLineStealer

6b4804777b25701db99465d7ed7985c53ea07e4e09bcb209815ba009629b45e7

RedLineStealer

8b120ba977ae25b77708858060c880e12d9cc84128749dcbf39daa904c8fa80c

RedLineStealer

a866fa02bf6f9324d6f3713ed1533e4f0262a29a50ab0734e03fe6ed52df11fd

RedLineStealer

b50d346307ef27c92bf6e5fda61bf060e00ab50119b50facb34cad30747f7c8e

RedLineStealer

fc45aada4dd0fd54fea4854bd07276881f46b469cc248146d1772188a5704384

RedLineStealer

+ 5'471 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:11aaaaa evasion infostealer trojan

Link:

https://tria.ge/reports/220409-hm2t3abeaq/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.11.73.5:10366

Unpacked files

SH256 hash:

da7620642c42445873373f629318ba4077fcc5e1e6bc4bddadbc3ef2f2d0648c

MD5 hash:

362f563dacd508269c57e840a3c3e7c7

SHA1 hash:

6a05560fe031f9e0bdfc3697771bb50b8dba12fd

Link:

https://www.unpac.me/results/407beffb-ebb6-401d-86f5-637a06227cb9/

SH256 hash:

7c8d082626ddfab283032119a04cdd0e4750ecdb3215c3c0711346f351691f6c

MD5 hash:

15cc23cedcfbb1ef342fadab86359ebd

SHA1 hash:

3b9c964ef90d8c2811b254475532d96daed7e51f

Link:

https://www.unpac.me/results/407beffb-ebb6-401d-86f5-637a06227cb9/

SH256 hash:

559b4924c088d5f9ff55603401f8b4ac68d9f6022367897568a1581b6025583c

MD5 hash:

00c57499c021312be6fe817f1a03905c

SHA1 hash:

42b1a85c54893ac67b6a96a466a9efba392378bd

Link:

https://www.unpac.me/results/407beffb-ebb6-401d-86f5-637a06227cb9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/559b4924c088/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/559b4924c088d5f9ff55603401f8b4ac68d9f6022367897568a1581b6025583c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/262258/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample