MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c
SHA3-384 hash:	c5d87c3e5eab5b93d96fbada73a9d3aa3d9bc958ee8a7e3ee487a8f69643bc33251c51bc1158e247b7d3cf4cbf5af0b4
SHA1 hash:	ef7ca80dabeeeacc0651104f555c1084ffeceb6a
MD5 hash:	a33010faebf7dc39eadbb3b4e5b5c8d3
humanhash:	lake-single-hotel-carbon
File name:	a33010faebf7dc39eadbb3b4e5b5c8d3.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	320'512 bytes
First seen:	2021-09-25 08:56:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42558e76cb0191e50d5255e5f863e8b9 (11 x RaccoonStealer, 5 x RedLineStealer, 2 x Stop)
ssdeep	6144:W7ZQS9UHvQGLJy2U3UIJGSTx7lLAhwHykyxPHfz0:6Z6QGLJyQIJL7KGyke3w
Threatray	6'408 similar samples on MalwareBazaar
TLSH	T13E64CF20B6A0C035F5BB52F855B993B8B83D3EB19B3451CB92D616FA16386E8DC30747
File icon (PE):
dhash icon	ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.20:13441

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.20:13441	https://threatfox.abuse.ch/ioc/226443/

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a33010faebf7dc39eadbb3b4e5b5c8d3.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 08:59:52 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/e05cbf2b-e88f-44d6-8f6b-6ff6b5590cb7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191408/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.22696.UNOFFICIAL

Win.Malware.Raccoon-9894356-1

Win.Malware.Generic-9894375-0

Win.Malware.Raccoon-9894475-1

Win.Packed.Fragtor-9894476-0

Win.Packed.Fragtor-9894751-0

Win.Packed.Fragtor-9895216-0

Win.Packed.Fragtor-9895692-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d5e4ab6-1cd2-41f8-845c-1508f83b43fd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857867

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-21 03:32:00 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m2e4232mqdjspiastp4ctcb2rrhveelnpsi3iz32gsy5qulzhqwa._file

Verdict:

malicious

RedLineStealer

3b6b17e3b6a37bab2f7c435a31348c7abc3590275c6c087d50f68bf6b4b89f55

RedLineStealer

50d3dfa972fb43c58c72d366db9066f59a7e0cbd62380a3447f8afe911ecdfef

RedLineStealer

72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a

RedLineStealer

9c46b0c1c7a38127b1b163163646703a91267c09537c38762ffa9586aa4a4d0a

RedLineStealer

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

RedLineStealer

a008bb0729de684e5924e241190f6ac3d3fcc780cc409449a594e4fb9a1e8bed

RedLineStealer

bc622f5729f264d9943fdbfda5bacb5f8654c7bbbeada1a58da252434dee4f1f

RedLineStealer

cd517a0b8edbf878a10147ece991468cd24a8e8dc17ad7afa098c82894a7ee63

RedLineStealer

eed60b9749e55ab52634fcc2befd94a17eca1e4b31af3eefd5593c0f1ce7083f

RedLineStealer

+ 6'398 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udp discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-kwlkjsahb8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.20:13441

Unpacked files

SH256 hash:

90b0e7d902727351e4a88f3b02c2d3d15d202b2a0ea118c961c21c258617c1cf

MD5 hash:

6ac070b383c57c84bce059f1611a8bc0

SHA1 hash:

f8768f72c0cc63945cbe31b75e39a9d207db06b5

Link:

https://www.unpac.me/results/8c8bc6ba-d4bd-4ac3-8cae-6bce10ecf341/

SH256 hash:

74ec8e7f6661e87226bb95a4ba97ae828c45f3142b78d068492cff7162bbbd47

MD5 hash:

f007c18cee4cbdd6992122a8a216ccc0

SHA1 hash:

5b931b76947bb4484ae7b94a60e83c65f92b21b3

Link:

https://www.unpac.me/results/8c8bc6ba-d4bd-4ac3-8cae-6bce10ecf341/

SH256 hash:

fc667313899f6647f9d67a16af1234ac6b109223b7c3ce0d178614985cfd27e9

MD5 hash:

24eb234842defb045592109e300bed32

SHA1 hash:

4fa3017ddf932a7f7ae7fbbeda7eacbea609f283

Link:

https://www.unpac.me/results/8c8bc6ba-d4bd-4ac3-8cae-6bce10ecf341/

SH256 hash:

6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c

MD5 hash:

a33010faebf7dc39eadbb3b4e5b5c8d3

SHA1 hash:

ef7ca80dabeeeacc0651104f555c1084ffeceb6a

Link:

https://www.unpac.me/results/8c8bc6ba-d4bd-4ac3-8cae-6bce10ecf341/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6689cd6f4c80d327a0129bf829883a8c4f52116d7c91b4677a34b1d851793c2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample