MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca491aca03d3cd89aa31dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca491aca03d3cd89aa31dce
SHA3-384 hash: a26e7d85c709e6e552f2aece7bdeded4a1b33b39d8bcc54122dba3daba5571e302e64112429a6d860dcefccb559c3f2a
SHA1 hash: a15b2bcc02b27e2cd4afd2cc51fae18c6be351a4
MD5 hash: 63316db5cc6a1bcebe2da172c8ebff72
humanhash: quebec-lima-oregon-moon
File name:57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca49.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:424'448 bytes
First seen:2022-01-14 17:18:00 UTC
Last seen:2022-01-14 19:00:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b64005fca420b49d81b8053e247d722b (1 x CoinMiner, 1 x CoinMiner.XMRig, 1 x Amadey)
ssdeep 12288:56NnMwDn1tehCQSFvxDwcJLQ1R0+864YPmRl:2MefehCQixDl8z3H4Yy
Threatray 4'437 similar samples on MalwareBazaar
TLSH T1C294C010FB60C035F5B762F84A7A93ACB53E7AA1573490CBA2D525DE46386E1EC31707
File icon (PE):PE icon
dhash icon 2dec1370399b9b91 (25 x RedLineStealer, 21 x Smoke Loader, 8 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
207.32.219.80:39824

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
207.32.219.80:39824 https://threatfox.abuse.ch/ioc/295285/

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca49.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 17:25:35 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/69fe12f4-fc8e-4d25-ac1a-93fcbf3bdd04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219371/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.82260.11930.158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4205/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61e1b0501883c5ba4ecc6abd/reports/9be754e4-c918-467d-ae6a-a31e6d7ff263/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91b8d3ce-a973-4caf-89b9-b766911451d2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920867
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca491aca03d3cd89aa31dce/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 17:18:13 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7673bvvkxivkl5idjnsggknzcwfdr3inssjdlfahu6nrgvddxha._file
Verdict:
malicious
Similar samples:
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
RedLineStealer
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
RedLineStealer
2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702
RedLineStealer
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
RedLineStealer
7eec09749966b69d9eb49acb8e2d50925b3a4cc26d3051dca1dbe91888ca21ad
RedLineStealer
7fe9c6169c86f79b884eb269649b1e279d2619cc1fe69982f74f0371629dec33
RedLineStealer
c72d58f2ee5007430aac685459da0714396615aaeda68ff1ae5c8c0f9d9396cb
RedLineStealer
e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36
RedLineStealer
ebca21122d4ab9dbef25f95fa2d44e5e7ce4cc120e4cf788790bdeba5ad51d60
RedLineStealer
+ 4'427 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220114-vt958shdd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
629fbe3df968a7f5abaaad6849f7157a59aa14d666a56655bfddce943e0ad936
MD5 hash:
285510ba4e11772671ebf230d274965b
SHA1 hash:
9b6dac61b18abbd8bb3936a574750b345b59c790
Link:
https://www.unpac.me/results/1acb85e2-a8aa-40da-9f28-770a2f508cd3/
SH256 hash:
4fe0738a6990d31e63b5a1b98128c015c3cd3c557d282e745b7297ca99b71f26
MD5 hash:
16c00397142896b7739c0c5b980e41e5
SHA1 hash:
74e05b8feaa1798b28140ed2ed85624593a295d9
Link:
https://www.unpac.me/results/1acb85e2-a8aa-40da-9f28-770a2f508cd3/
SH256 hash:
c11170bfa1b3179f9198f4619c678fd6af7bc43f058e97aa897f883f056ab143
MD5 hash:
e8016f826c008d79a325b9ae8129bcdf
SHA1 hash:
187ff828b87d751bfb2f8a367d4a692463681b50
Link:
https://www.unpac.me/results/1acb85e2-a8aa-40da-9f28-770a2f508cd3/
SH256 hash:
57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca491aca03d3cd89aa31dce
MD5 hash:
63316db5cc6a1bcebe2da172c8ebff72
SHA1 hash:
a15b2bcc02b27e2cd4afd2cc51fae18c6be351a4
Link:
https://www.unpac.me/results/1acb85e2-a8aa-40da-9f28-770a2f508cd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57fdfd86b555d1552fa81a5b23194dc8ac51c7686ca491aca03d3cd89aa31dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219371/

Comments