MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 812ed49493419e33fa43168dabd9caf8b462c4edd82b4f3f8c0f714b22c7a376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	812ed49493419e33fa43168dabd9caf8b462c4edd82b4f3f8c0f714b22c7a376
SHA3-384 hash:	18a186e0e98ed059dbc22ad24fa1d25069627d46a90efd21e843d4729a52299520aab29aec3cea44592fb80fce96ab5f
SHA1 hash:	c866b47d70c59e7851bcdd6316455770e549ddaa
MD5 hash:	a01958954d1a5c2e3131471ba69df70e
humanhash:	mockingbird-illinois-london-michigan
File name:	a01958954d1a5c2e3131471ba69df70e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	951'808 bytes
First seen:	2022-03-14 08:06:28 UTC
Last seen:	2022-03-14 10:09:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	24576:ehgU/EpmdH38u0ITW1jB/7zwF56R4XaYelCkEaHNYK3tOp2f:ehg5ksN9D8a4qYeYNaPf
Threatray	1'670 similar samples on MalwareBazaar
TLSH	T1EB1533D32390FB9EC64894F978B4B442C3F904B694FDA5046A6777C1323C89ABD7948B
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.232.179.34:20856

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.232.179.34:20856	https://threatfox.abuse.ch/ioc/395095/

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249967/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/622ef7ab0cd58dbd9294cf3f/reports/fa3b9ab0-0ae7-43a3-8dc7-8eb7c5e1cb34/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/327c598f-6e1c-4e30-81e0-44af91d5701d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955851

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/812ed49493419e33fa43168dabd9caf8b462c4edd82b4f3f8c0f714b22c7a376/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-11 04:26:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qexnjfetigpdh6sdc2g2xwok7c2gfrhn3avu6p4mb5yuwiwhun3a._file

Verdict:

malicious

RedLineStealer

1f302a689174433c1abdb486b2b3c623f0df74766e63ccc608e678ba142432ea

RedLineStealer

22c3fa70f641f2b75a8b0cdd6cab763c2b968e88318bac611f1a002022aeca39

RedLineStealer

2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527

RedLineStealer

4b415f57ac7f2c6fbe7c0a984e819197866fa04b9f88651ab6ede076a7c76c60

RedLineStealer

4e027b305b9bacf2392ffb062acba8bd54e5ce5e5e58951633317256bede4ba2

RedLineStealer

54ad90b2ab54e9171cf391f33bd7a39c0cbf6b12e83e5c2086c0bf7cf2e4f8c2

RedLineStealer

6d13242db3b7161ab420c01a3baa628fa3fa656a7e2019fa41f285d9b82c3fe6

RedLineStealer

92ccbbead3ca1c2a221c3dd06da16bb15fe6aef02859087c09c7d248017d955d

RedLineStealer

b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

RedLineStealer

+ 1'660 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220314-jzzqxadgf8/

Behaviour

Program crash

Unpacked files

SH256 hash:

4314846d5f608c495816f81d4d60fe59b2176ed3bb986e8d08e24d516ec7b53a

MD5 hash:

b881821367221fcdacf7c3b24fb135f3

SHA1 hash:

60e5bffdaf3d29cbe986abfbc0a684cf8fe75cb7

Link:

https://www.unpac.me/results/690abb94-cd78-4c22-ab66-f4a27e2c1ef3/

SH256 hash:

539d6e4b88ca0e3d736b95e1f6fd39f2cb3059d0084369cc196053d762e91e44

MD5 hash:

d0daa1d74ef6c596dcde34a8b02319a7

SHA1 hash:

b2aaae052ee0b4bd6f3dbe7acc06cd9b150d3c80

Link:

https://www.unpac.me/results/690abb94-cd78-4c22-ab66-f4a27e2c1ef3/

SH256 hash:

812ed49493419e33fa43168dabd9caf8b462c4edd82b4f3f8c0f714b22c7a376

MD5 hash:

a01958954d1a5c2e3131471ba69df70e

SHA1 hash:

c866b47d70c59e7851bcdd6316455770e549ddaa

Link:

https://www.unpac.me/results/690abb94-cd78-4c22-ab66-f4a27e2c1ef3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/812ed49493419e33fa43168dabd9caf8b462c4edd82b4f3f8c0f714b22c7a376

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249967/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample