MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303
SHA3-384 hash:	408b492f20c32c02c0691f74ff98acdb42c2f2d528d466600d1a912a9eb6bb39c3e06978ef4489d2499e5fc80d31599e
SHA1 hash:	d1451fdf426c4b95dbdc1068d0cb5628db6e4a40
MD5 hash:	a08729a8e9457d19abe9c26fb148c74b
humanhash:	stream-illinois-table-london
File name:	a08729a8e9457d19abe9c26fb148c74b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	441'856 bytes
First seen:	2021-09-27 00:07:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:E+klT97iys1V7MjhV/toE9Qhi4n1WSvviEf8/Kt3hirowJE:GNjhPLm
Threatray	675 similar samples on MalwareBazaar
TLSH	T172942528647FC01985E3EEA52EDCA8FBD99A55E3640C703701B4633B8B52B84DE4F479
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.147.197.123:31820

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.147.197.123:31820	https://threatfox.abuse.ch/ioc/226898/

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a08729a8e9457d19abe9c26fb148c74b.exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 00:08:21 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/a6fb01cd-ee8c-43fc-ab4b-3c48cc2bfb5d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191861/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30201fe8-1390-41d5-bc12-14083a63f94c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858561

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-12 06:04:14 UTC

AV detection:

25 of 44 (56.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lfapcaocge5pk22kk2qftsn4thnwhbgj2wzmpdjbjxf3jes5umbq._file

Verdict:

malicious

RedLineStealer

16c3925debeb733f58c941bf756a6c247992dafa4dbfa8f7f1d5337b0f96fdf1

RedLineStealer

1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99

RedLineStealer

368d69f599577877c3dca1b45eae62a7da934b832dc2f3b5dfcf18a99f3600be

RedLineStealer

38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4

RedLineStealer

4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d

RedLineStealer

7a5a953b328eddffbd69d55bc2d6626c353bcef9a9a9f4efec49cdaa7ac601ac

RedLineStealer

7f614448fc2dadd4bc8a8e495e53d1d05c13d7202eb519b687f9b0c2996b4bef

RedLineStealer

8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205

RedLineStealer

9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953

RedLineStealer

+ 665 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@ruloja discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210927-aexldafdg8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.147.197.123:31820

Unpacked files

SH256 hash:

39fcd45bbbf7ce754d80b844feb67d0fbd33e6d30a711ebc326ba278233aeee9

MD5 hash:

8f6180a957927ecbb99a4b64ba377bfd

SHA1 hash:

8b5b8cf4b5155e059ab7b69bae29bcca58073bfe

Link:

https://www.unpac.me/results/adb3c7a9-a6af-45ca-aac2-749d09f69d9a/

SH256 hash:

5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303

MD5 hash:

a08729a8e9457d19abe9c26fb148c74b

SHA1 hash:

d1451fdf426c4b95dbdc1068d0cb5628db6e4a40

Link:

https://www.unpac.me/results/adb3c7a9-a6af-45ca-aac2-749d09f69d9a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191861/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample