MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 761239c9a426c4a94b4f2c6276f11b2b807648b5d82610afda6501716a813c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	761239c9a426c4a94b4f2c6276f11b2b807648b5d82610afda6501716a813c80
SHA3-384 hash:	6772985fe77aa6938f81d85227edc65fb0091eb1e9bb925558f604da23778d94cbde609b304d294dc4e6c2a0b9a055f6
SHA1 hash:	12985f06da4389ffa06d6d4da958297b98d98319
MD5 hash:	1b9e4ed4762c8397c92872a4bc19618f
humanhash:	lithium-yellow-florida-neptune
File name:	761239c9a426c4a94b4f2c6276f11b2b807648b5d8261.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'185'200 bytes
First seen:	2022-05-31 00:05:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	59fdc9cf44445c51b55dc51f095af280 (2 x RedLineStealer, 1 x Amadey)
ssdeep	24576:q7i7pFNp4++N3QA8ErurALyBW26y2czegb3eRKvvE:t9FNp4XN3QAfivyQKh
TLSH	T10B45120264DB0231D462AAB0647373A339B2F4B1A6750B1B5EB9153D3D0E3CCB666BD7
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	02e9f8ecccd0e8ec (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
138.201.191.162:4821

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
138.201.191.162:4821	https://threatfox.abuse.ch/ioc/643522/

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

761239c9a426c4a94b4f2c6276f11b2b807648b5d8261.exe

Verdict:

Malicious activity

Analysis date:

2022-05-31 00:07:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/32215ff3-0110-4751-83aa-1c4f1b3e8301

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275559/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Launching a process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62955beceba388bb8687d1f7/reports/fed9264c-1b30-45bf-952a-1ba1ad532044/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1a0bc28b-293a-4e20-8208-b04dd419c6cb

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003874

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/761239c9a426c4a94b4f2c6276f11b2b807648b5d82610afda6501716a813c80/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-05-30 21:44:06 UTC

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oyjdtsnee3ckss2pfrrhn4i3foahmsfv3atbbl62muaxc2ubhsaa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lolztest infostealer spyware upx

Link:

https://tria.ge/reports/220531-adq27sbgbr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

RedLine

RedLine Payload

Malware Config

C2 Extraction:

138.201.191.162:4821

Unpacked files

SH256 hash:

58eadc0a0d647c4e511021a0cbfec016334f6e76c96cbeafcb4d49b51eafb41a

MD5 hash:

1fc6d4e501714392bbe03e0ab4d43ea5

SHA1 hash:

0cc93b473f71a5a7e4890f94907cb541607ce703

Link:

https://www.unpac.me/results/4fe5f6c9-e9aa-4e48-8494-58a11d721c4c/

SH256 hash:

874e27b84dca0cf55b05127b928e41799618628e0f86f04fc49576474cc6bf6c

MD5 hash:

74848f1041e0d7a619fd4079027b55b2

SHA1 hash:

c67791d179c64816932500e5f635edc97ca65e3b

Link:

https://www.unpac.me/results/4fe5f6c9-e9aa-4e48-8494-58a11d721c4c/

SH256 hash:

1f71f9e29a5fb51e4ac5618b82de291198231ca7adf830487989f8be8e0153f9

MD5 hash:

0c30f74faab9e0010369f529e483d0bc

SHA1 hash:

b63060bf0cbab8c3b5d6522318a1abc863eca9ba

Link:

https://www.unpac.me/results/4fe5f6c9-e9aa-4e48-8494-58a11d721c4c/

SH256 hash:

761239c9a426c4a94b4f2c6276f11b2b807648b5d82610afda6501716a813c80

MD5 hash:

1b9e4ed4762c8397c92872a4bc19618f

SHA1 hash:

12985f06da4389ffa06d6d4da958297b98d98319

Link:

https://www.unpac.me/results/4fe5f6c9-e9aa-4e48-8494-58a11d721c4c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/761239c9a426/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/761239c9a426c4a94b4f2c6276f11b2b807648b5d82610afda6501716a813c80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275559/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample