MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f9bccb44772e2203b0fe618dd0868bb5b9272dc8547f82d6e8c6e1ea05f0be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	5f9bccb44772e2203b0fe618dd0868bb5b9272dc8547f82d6e8c6e1ea05f0be3
SHA3-384 hash:	586b1e5c6e7450900a94643f7c85de5ffd49060e7909801147bf70d9b109337d714c5e1d017474ea602758cbe1b4891a
SHA1 hash:	47c5fd9dac19abf8d8b223cef86228a92192b0ca
MD5 hash:	a16781ffcc998c446cd73a976a7b5051
humanhash:	football-social-kentucky-maryland
File name:	a16781ffcc998c446cd73a976a7b5051.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	430'760 bytes
First seen:	2021-09-26 00:05:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	64db17fb74f0fc4cbe32aa2e57d24a0f (17 x RedLineStealer, 6 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep	6144:4zGOmiNwZ5QCeD3VWFbiE7HhTppzh//cxONjSTU+c2nsu:hOmiNk56DFWwEDthHOTB9nsu
Threatray	6'624 similar samples on MalwareBazaar
TLSH	T1E794BE20BAE0C035F5B716F45AB99778B93D7AB1AB3480CB22D556EA1B342E4DC30357
File icon (PE):
dhash icon	4a733336520f6682 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.87.192.249:16640

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.87.192.249:16640	https://threatfox.abuse.ch/ioc/226452/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a16781ffcc998c446cd73a976a7b5051.exe

Verdict:

Malicious activity

Analysis date:

2021-09-26 00:07:07 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/ff293353-e662-47a7-a6f2-e29ac41e90be

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191647/

Detection(s):

Win.Packed.Fragtor-9895692-0

Win.Packed.Fragtor-9895770-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/495d5aeb-fce4-432e-898e-0c7e27bfd752

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858213

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f9bccb44772e2203b0fe618dd0868bb5b9272dc8547f82d6e8c6e1ea05f0be3/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-09-25 04:46:00 UTC

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6n4zncholrcaoyp4ymn2cdixnnze4w4qvd7qllorrxb5ic7bprq._file

Verdict:

malicious

RedLineStealer

46e9e160b1efdfc217e3640533c272b98678d2f3ee3d128100857da769b5d658

RedLineStealer

5c6ce925956ff002d7f3f533d18cdd06384f8d48998c49a9bfec4ce490971f14

RedLineStealer

654565b89c65e142f50bb95331ade59623700eaee14fc56dea8a09a07c5b0378

RedLineStealer

8cd6bd2b6b54f07317e7ce2c579e028d4e9f52a776b8327461258c7f1fadeec9

RedLineStealer

b5166e35c23cdb13e9436deee60fd7910984504274e0717f9e43a789112e744f

RedLineStealer

cae1a65947d12ad34738b6b2d181334b83f9d46aa4ef2cbe4cb5aa06e1e8b212

RedLineStealer

df1f97bc36b16e89492eac798745c9427681c448aad6bc5398cb32d1f3c96891

RedLineStealer

e5ca91a98799cc7a0fdcd0c45f0fce3bfc03ac7d77a7dd20874d6ac5b6476085

RedLineStealer

ee1465683fd8c09fe3908879b9250b1d5898aa0a25986278aef04fab6fd898be

RedLineStealer

+ 6'614 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210926-adsk2aeacp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

80.87.192.249:16640

Unpacked files

SH256 hash:

a2ff10e0568df7a62caaf5a19981dd0e88c2325056ffdf268daf58df1e9644c1

MD5 hash:

5bfdac8c7169ccb5f6f3bc52da9a91ed

SHA1 hash:

d3edc93f8e4da83163f814f3c99ec41484480a4c

Link:

https://www.unpac.me/results/db2608e1-4f12-4894-a116-58edc129f833/

SH256 hash:

0fe6290010b63b124188c14cf38f0406a9dbf7496afabe687d4e3eeec600df23

MD5 hash:

fd4f9efb04464d149c3ace53c110e0f4

SHA1 hash:

9ea9bd0679b139d9a7d747f0f6a13c6191b06567

Link:

https://www.unpac.me/results/db2608e1-4f12-4894-a116-58edc129f833/

SH256 hash:

bbc53e129ffcc33b3c9749c808c7d21366e382708e7b90489dcc5241dc04fd27

MD5 hash:

31e4db2a19a304ee2693d242e9837f29

SHA1 hash:

8a2b50b7733a2a9c7ae4628e728ee9cbd27fb8e3

Link:

https://www.unpac.me/results/db2608e1-4f12-4894-a116-58edc129f833/

SH256 hash:

5f9bccb44772e2203b0fe618dd0868bb5b9272dc8547f82d6e8c6e1ea05f0be3

MD5 hash:

a16781ffcc998c446cd73a976a7b5051

SHA1 hash:

47c5fd9dac19abf8d8b223cef86228a92192b0ca

Link:

https://www.unpac.me/results/db2608e1-4f12-4894-a116-58edc129f833/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5f9bccb44772e2203b0fe618dd0868bb5b9272dc8547f82d6e8c6e1ea05f0be3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191647/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample