MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50
SHA3-384 hash: 28a0208530b63e3cea004a95405c6721b5b33f1acdb8d89e874fc3b71b9baae51d07ff564ccce60b66dd6bd206c86435
SHA1 hash: 75ae5f342e240e191393d47b0f5550d4f4e4fe2c
MD5 hash: bb01110f000d6a06eb3bce0024aaedc1
humanhash: hot-delaware-twenty-item
File name:bb01110f000d6a06eb3bce0024aaedc1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:153'600 bytes
First seen:2021-08-15 06:55:11 UTC
Last seen:2021-08-15 07:46:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:pUhKk33QT9iQBFLw8ClgjfwD1/tVm757hZ+1w5SoCT7sh:6hn3gpbLw1jy757h3dCT7s
Threatray 1 similar samples on MalwareBazaar
TLSH T1E8E3398C766076DFC85BC876CEA82C74EA60747B931B9243A45316ED9E0C99BCF141F2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.53.46.25:38743

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.53.46.25:38743 https://threatfox.abuse.ch/ioc/186188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bb01110f000d6a06eb3bce0024aaedc1.exe
Verdict:
No threats detected
Analysis date:
2021-08-15 07:06:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2dba91bb-af10-46bc-aca6-15a9c1087f38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179316/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Gorgon.4c.27919.6265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Creating a file
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59ecb985-1be1-45b1-a2d1-5bd2841db6d6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/833104
Signature
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50/
Threat name:
ByteCode-MSIL.Trojan.Gorgon
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 21:56:21 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlha7jgmhz4dhryzzcm63nfzl3gk7tcszdl7r6paioeq2yvh3jia._file
Verdict:
unknown
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:usacash888 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210815-jgjahz9dee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Core1 .NET packer
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.53.46.25:38743
Unpacked files
SH256 hash:
82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50
MD5 hash:
bb01110f000d6a06eb3bce0024aaedc1
SHA1 hash:
75ae5f342e240e191393d47b0f5550d4f4e4fe2c
Link:
https://www.unpac.me/results/6eb97fc2-3063-4aa7-b5db-24723e5ada62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1533621/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179316/

Comments