MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 826a0a15b1dd1943316f40dcc16180705043558a14e9065227186d55bbe05343. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 826a0a15b1dd1943316f40dcc16180705043558a14e9065227186d55bbe05343
SHA3-384 hash: f85589f8020627ecaf396b409aa8e63ce1465296e06dfc16035c3b3aa8bba5b83b6ec0c52c8710a0ef68ed107af492b5
SHA1 hash: 55d58208627545a40e90e1e4ee832978b4c498eb
MD5 hash: 0d89cb117617178c6c34c1e10656b40b
humanhash: september-montana-ink-four
File name:0d89cb117617178c6c34c1e10656b40b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:11'590'226 bytes
First seen:2022-06-10 04:52:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c09d997bba3225142a0281004608efa (5 x RedLineStealer, 1 x ArkeiStealer, 1 x Formbook)
ssdeep 49152:oMjHL9CTy7Qjj2pIHohA5p8rFQCSEZBC:oMjHL9CTiQjj2pIHoGpa5n
TLSH T1DFC609039A8B0E75DDC27BB461CB633B9734EE30CA269B7FF608C53559532C5681AB42
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.181.164.161:20856

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.164.161:20856 https://threatfox.abuse.ch/ioc/686175/

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0d89cb117617178c6c34c1e10656b40b.exe
Verdict:
Malicious activity
Analysis date:
2022-06-10 04:53:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4ee2df48-d71c-4b77-b23b-8ea794bd56dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278550/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39754445.1141.24488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye vidar
Link:
https://www.filescan.io/uploads/62a2ce0255f7892290315078/reports/e5a882fc-9ce8-45cf-bc28-4ac78e1ab6a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4946ee4f-f553-4e4c-beba-0878e7b8315a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010601
Signature
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/826a0a15b1dd1943316f40dcc16180705043558a14e9065227186d55bbe05343/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-06-05 04:51:47 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjvaufnr3umugmlpidomcymaobiegvmkctuqmurhdbwvlo7aknbq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220610-fhegvsffar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
opzxusdicnk.tk:20856
Unpacked files
SH256 hash:
e1e012af4f8d6fd5f837841b4b5ae02f739c0a1d927a52ccd9d8a912d133bc8a
MD5 hash:
27e58299238fcaf333e574f220af5202
SHA1 hash:
4faac4dbf55cf20a07bd92a951a3fe1b08db371c
Link:
https://www.unpac.me/results/a74875ce-5f0b-471f-954c-9d4d6a95a257/
SH256 hash:
826a0a15b1dd1943316f40dcc16180705043558a14e9065227186d55bbe05343
MD5 hash:
0d89cb117617178c6c34c1e10656b40b
SHA1 hash:
55d58208627545a40e90e1e4ee832978b4c498eb
Link:
https://www.unpac.me/results/a74875ce-5f0b-471f-954c-9d4d6a95a257/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/826a0a15b1dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/826a0a15b1dd1943316f40dcc16180705043558a14e9065227186d55bbe05343

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278550/

Comments