MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617a8427f5e6810e55ce84151aae1d9d4f5a7244e44035a0cae89f5c70de9d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	617a8427f5e6810e55ce84151aae1d9d4f5a7244e44035a0cae89f5c70de9d7d
SHA3-384 hash:	ebf77a6eb37ffa80eb8bea910006dbcc3b22ff75e94391404ebe37a8830c85459769e019a5864cf3c4e30e0481b28f68
SHA1 hash:	a65bc07ffbcb9c889fc4b7de11988ebae27c5d72
MD5 hash:	0d6379d10486fec9e23dcf1c5ffce1e0
humanhash:	ceiling-emma-batman-pip
File name:	0d6379d10486fec9e23dcf1c5ffce1e0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	458'752 bytes
First seen:	2021-11-06 10:53:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9e4746628ebaf71569a51552a1011d76 (6 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	6144:yK7R7/LgKa95tSddYj0qJma+1FKRbkDjnu3ec5pgRj1TgKW5/g:yK7R7/m95AdH6MFSbkDjnu3eb5AO
TLSH	T171A4C000B7A1C039F5B212F479B593A9B93A7DA15B3491CF22D53AEE56306E0ECB1707
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/202896/

Detection(s):

Win.Trojan.Generic-9906244-0

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61865ed043a4f74809111df8/reports/f7cc1336-9dcb-4b21-af8c-fcb1bdd92ce7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db4ca0e3-4e2d-4498-bf52-ffeb95766e92

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/884488

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/617a8427f5e6810e55ce84151aae1d9d4f5a7244e44035a0cae89f5c70de9d7d/

Threat name:

Win32.Trojan.Phonzy

Status:

Malicious

First seen:

2021-11-06 05:20:00 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mf5iij7v42aq4vooqqkrvlq5tvhvu4se4radligk5cpvy4g6tv6q._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udptest discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211106-mzkhrsbecq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab

MD5 hash:

c1108718dcfb2b7a752e2c4c1e27659d

SHA1 hash:

59c7c4ca474af49a7fc77e58da554f02f9d68191

Link:

https://www.unpac.me/results/f96b21e4-39fb-413f-a37e-454347b2ae3e/

SH256 hash:

b602a2710845fe08f9c0b53c053ddc834e25b3e4cd36e6162ffed3a028346044

MD5 hash:

b4bfd945fe4a51c1a6f4aafa964aea7d

SHA1 hash:

5207263194c4902eb2dee4c2659a1af725057699

Link:

https://www.unpac.me/results/f96b21e4-39fb-413f-a37e-454347b2ae3e/

SH256 hash:

a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c

MD5 hash:

988bab2529a6b385e407ba8ef050dc51

SHA1 hash:

3851cb15de623f44d62581e970ab183d8ed4769c

Link:

https://www.unpac.me/results/f96b21e4-39fb-413f-a37e-454347b2ae3e/

SH256 hash:

617a8427f5e6810e55ce84151aae1d9d4f5a7244e44035a0cae89f5c70de9d7d

MD5 hash:

0d6379d10486fec9e23dcf1c5ffce1e0

SHA1 hash:

a65bc07ffbcb9c889fc4b7de11988ebae27c5d72

Link:

https://www.unpac.me/results/f96b21e4-39fb-413f-a37e-454347b2ae3e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/617a8427f5e6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/617a8427f5e6810e55ce84151aae1d9d4f5a7244e44035a0cae89f5c70de9d7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.