MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f459398610a8d2d69546d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f459398610a8d2d69546d
SHA3-384 hash:	a11dd970264384b2792f4a7314c5f7133d9da648d04b038e2c1dd09d4de5065f22027bf0b250adcb9de2d6152b25421f
SHA1 hash:	5ef34b1a935285206acc605ccb46d1604927a746
MD5 hash:	8c99c8ae9c95c6b8d200ce5333f4287b
humanhash:	ceiling-sad-undress-alaska
File name:	6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	453'120 bytes
First seen:	2022-01-01 13:55:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32df35ab14d0628383369ad5359c805a (1 x RedLineStealer, 1 x Smoke Loader)
ssdeep	12288:MwAVbviCMbwnaTAw1U8f/XxNZTVM4yDPE0ZW3:MwoziCMb48f/DM4yDK
Threatray	4'302 similar samples on MalwareBazaar
TLSH	T1C9A4AE10AB61C035F5B362F4497A9269B63E7EA16B3490CB53E526FD97346E0EC3031B
File icon (PE):
dhash icon	e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.10:32605

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.10:32605	https://threatfox.abuse.ch/ioc/290190/

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f4.exe

Verdict:

Malicious activity

Analysis date:

2022-01-01 13:58:20 UTC

Tags:

installer trojan rat redline

Link:

https://app.any.run/tasks/032e0e5b-fcab-496a-8ea8-739d276294ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/217006/

Detection(s):

Win.Packed.Generic-9918587-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3627/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61d05d75ec6c6c14a9033953/reports/4deb1b79-2110-44c8-8f40-60bd0a13644b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/126330e2-7e37-4591-83b5-be63e0c46ef9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/914462

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f459398610a8d2d69546d/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-01-01 13:56:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nwzfxxlshhr5ll3vy3yocoufbrnfubpqzihule4ymefi2lljkrwq._file

Verdict:

malicious

RedLineStealer

23a5e5b0cb827bc3f5d193dea0aaf03296c7c4f4a34eb5884caf8db7d12a7eee

RedLineStealer

2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702

RedLineStealer

3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f

RedLineStealer

7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

8c932dce374220d274242f9ec935e8adc0ecbfbc1f3896ff941e718dc33d67a3

RedLineStealer

f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8

RedLineStealer

+ 4'292 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220101-q8pevshfh2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

99e7d95d060e7a69799e7e204a0513622b1378b64b8febf51b6b925a5ad472e4

MD5 hash:

af068d62f3c51d0d3b85824602263a8e

SHA1 hash:

c4ca1f99533dfe4d6c5cd623da57491f1d00f66f

Link:

https://www.unpac.me/results/3a9fa60d-51cf-457a-b1f5-2cbced900a6c/

SH256 hash:

6727a22c884141f5c8c29508c7e3f3e4ad1e83d47c363b258d05d9cdbda7003b

MD5 hash:

b1d442b929f526a0814e197d8e7f3053

SHA1 hash:

8dc0b74f063392703e55a4715d6d5ebd710fcdb3

Link:

https://www.unpac.me/results/3a9fa60d-51cf-457a-b1f5-2cbced900a6c/

SH256 hash:

f190b154916d3c6882c5084c90bf0e0a4a2ae300c7e145b47995808df2556fee

MD5 hash:

85d9f202340fa3633874fdd578cfb934

SHA1 hash:

14b3b46122c65bbdeb12bdac22af959d75ce958c

Link:

https://www.unpac.me/results/3a9fa60d-51cf-457a-b1f5-2cbced900a6c/

SH256 hash:

6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f459398610a8d2d69546d

MD5 hash:

8c99c8ae9c95c6b8d200ce5333f4287b

SHA1 hash:

5ef34b1a935285206acc605ccb46d1604927a746

Link:

https://www.unpac.me/results/3a9fa60d-51cf-457a-b1f5-2cbced900a6c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6db25bdd7239e3d5af75c6f0e13a850c5a5a05f0ca0f459398610a8d2d69546d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample