MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef6a3e8a70847b098a042ce963d12ec6e777c0c335b33d64e232912807af219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	5ef6a3e8a70847b098a042ce963d12ec6e777c0c335b33d64e232912807af219
SHA3-384 hash:	443d6458c9f550280ffb2920a252fa28509a121e0db7dd5a106dc8bf5a09a909bbcdcd86d725bf18fbf030f545f52afc
SHA1 hash:	432e3a5a463f2ec7b18beca594a9f357839c4ed2
MD5 hash:	84867d3daccdec9b8d2a10ca4ec9ef45
humanhash:	robin-triple-two-five
File name:	84867D3DACCDEC9B8D2A10CA4EC9EF45.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	266'240 bytes
First seen:	2021-07-21 22:01:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c0421ed5a83b160afea7e603167f846a (1 x RaccoonStealer, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:hNlIUiGOXtqmTTTvmDdKASu+jtzYVbLyXnkOpo:j+AYMevmDdDSu+jtzYV/y3B
Threatray	3'501 similar samples on MalwareBazaar
TLSH	T16044DF1076F0D432D5B7693088F1C6A1663FBC225A34964A36A53FDB6E312D1AA7D3C3
dhash icon	a6e6c6c6e6aca686 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
147.124.222.75:42864

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
147.124.222.75:42864	https://threatfox.abuse.ch/ioc/162001/

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

84867D3DACCDEC9B8D2A10CA4EC9EF45.exe

Verdict:

Malicious activity

Analysis date:

2021-07-21 22:03:09 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/73d34ade-641c-4ddd-8893-3128271c518b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/173186/

Detection(s):

Win.Dropper.Genkryptik-9880017-0

Win.Packed.Filerepmalware-9880018-0

Win.Malware.Generic-9880039-0

Win.Malware.Generic-9880077-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93807a0d-9104-4c0c-94c4-d63327ff60de

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819796

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ef6a3e8a70847b098a042ce963d12ec6e777c0c335b33d64e232912807af219/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-07-19 11:08:15 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l33kh2fhbbd3bgfailhjmpis5rxho7amgnnthvsoemurfad26imq._file

Verdict:

malicious

RedLineStealer

7746d06b49835e0b431daaa65c560b936ba1598e886a1749496966da2918ce87

RedLineStealer

a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5

RedLineStealer

ab8c569869fe2fbb65e917a16d9294281bb0d092856a3f114ff1ee4750f599e1

RedLineStealer

b138c67994648f1784c8263e0af703662e2bd8e55d9d8a1189dcf243f2bff657

RedLineStealer

b1ba2d7a4b78729cf332357c9d5e5e63b51796bc107fff6a45dd6149a3760365

RedLineStealer

+ 3'491 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:170 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210721-ra2bjg687a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

147.124.222.75:42864

Unpacked files

SH256 hash:

8ee28e23e0e57d1f89580a7d93f021d4e6819f2346073d7faeb8f90b503704ef

MD5 hash:

9765fe7edfe7f4917dd23facbd03a0d4

SHA1 hash:

f6a04d9a3df8b2a7bf2365dd5a3fff34a2dcd01a

Link:

https://www.unpac.me/results/29712c3c-fb66-49a5-a58c-4ca8601f166a/

SH256 hash:

1cf2e74b9a10cc7f9133c9013548e25728bf36c5e9af80d6f113a07a9e8c25cd

MD5 hash:

7c2960f63f20ccbbccbf23ef0175ee5a

SHA1 hash:

7e9dcfbc96e0036f4806087d9aadea8af46399d7

Link:

https://www.unpac.me/results/29712c3c-fb66-49a5-a58c-4ca8601f166a/

SH256 hash:

ac1911e725cdce75d996b7c716bc869d7fcf13ce2f0f4231f49fe83096ccd6c9

MD5 hash:

26e352e904490f4059df4a574b9afde7

SHA1 hash:

37c7a3a0c417d71af6a9a4f3fd48d7c595c48ff8

Link:

https://www.unpac.me/results/29712c3c-fb66-49a5-a58c-4ca8601f166a/

SH256 hash:

5ef6a3e8a70847b098a042ce963d12ec6e777c0c335b33d64e232912807af219

MD5 hash:

84867d3daccdec9b8d2a10ca4ec9ef45

SHA1 hash:

432e3a5a463f2ec7b18beca594a9f357839c4ed2

Link:

https://www.unpac.me/results/29712c3c-fb66-49a5-a58c-4ca8601f166a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ef6a3e8a70847b098a042ce963d12ec6e777c0c335b33d64e232912807af219

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173186/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample