MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9
SHA3-384 hash: 371134fcdaf0367b1cf1afd517a2857f9172e7dcb5daa295daa666dac280f2ebc8e4d5b8ccde607a5fb47c26eff396d7
SHA1 hash: 6b0a5c2b13e87c720c5725ab8e341f50583ab89b
MD5 hash: 2f334bf00f5152ca5f01c3982bbad4a3
humanhash: kentucky-georgia-hot-fanta
File name:2f334bf00f5152ca5f01c3982bbad4a3
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:305'152 bytes
First seen:2021-12-01 05:05:53 UTC
Last seen:2021-12-01 06:51:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2aad955a2b43c6309ea940b357fc162c (4 x RedLineStealer, 4 x Amadey, 1 x Smoke Loader)
ssdeep 6144:X2ECIjjMkJ7z2g6XYhlQSgZzvFWypU2CKeKoAl4+wvY:XFCIjjryiQSgZRVpURKxFw
Threatray 3'336 similar samples on MalwareBazaar
TLSH T1CA54E10132E68433E1E6463368349AA0FA7F7C33FA72814B2755163EAFB07D09975B56
File icon (PE):PE icon
dhash icon fcfcf4f4d4d4d8c0 (12 x RedLineStealer, 12 x RaccoonStealer, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f334bf00f5152ca5f01c3982bbad4a3
Verdict:
Malicious activity
Analysis date:
2021-12-01 05:07:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2727cc0b-9e56-4148-a701-ce36f8b42e95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210158/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.7530.9229.31805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/61a702beb3ca88e2e77402f2/reports/31fe8e03-84a0-4793-981b-84a7db197d5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/109e4292-f1b0-4da9-b2b4-a6c2d158bbb5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899154
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9/
Threat name:
Win32.Trojan.MintTitirez
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 05:06:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmmxpi633urrwo657r7oatm5a5bgypkn5dmivoqf6gopzlufetmq._file
Verdict:
malicious
Similar samples:
1e4d22b644db33118955f64d7dc91e61696dbdff24760fda12c33c3289e2215a
RedLineStealer
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9
RedLineStealer
6db7d6d4109963c686547ba997a0eb8fae8112f9bfcb225d3bc62b06113ce36e
RedLineStealer
6f4d0be0c5e4824c213ca020779cee9279d0ed576c2a13d058ecfd992ade3d9e
RedLineStealer
863ffe4f5f345bedf85854875b10c19fcd8d951562eab07a0b5dc9e892abb4bf
RedLineStealer
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
RedLineStealer
d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
RedLineStealer
d5f04584fde35671d8d19ba4c07f294261fbfc655e9632da43a92d524899a504
RedLineStealer
+ 3'326 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mood discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211201-fre5raaaem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.238.8.47:36439
Unpacked files
SH256 hash:
f692532fc91c1cf88c5be64f5542394a423037f2814c38d3bd412864a8a45cdb
MD5 hash:
29e14a053040f6a63bcd83a8c119e469
SHA1 hash:
f49cba0580df8d11ff0bf545fffffad613b11857
Link:
https://www.unpac.me/results/0bd20c17-d2aa-4a38-924d-d5a384c4c32e/
SH256 hash:
49a1fec3d67db78345e9097f0ddc692f53ff9139b0dc9b1b5ead4db4153f68df
MD5 hash:
f9a31437a5e4d051b15478dc29736acc
SHA1 hash:
b5daf713cbb55a6e934c69f8fe6b1d9146b8cf5c
Link:
https://www.unpac.me/results/0bd20c17-d2aa-4a38-924d-d5a384c4c32e/
SH256 hash:
bf557176f51a4c669b632b3e5f391586ffcb3d6c8459bf3f19d7de8dc14a3931
MD5 hash:
95c39b15e75768b55619b17c96431877
SHA1 hash:
866553b2a2c945244d021362553319882ce8d9a8
Link:
https://www.unpac.me/results/0bd20c17-d2aa-4a38-924d-d5a384c4c32e/
SH256 hash:
831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9
MD5 hash:
2f334bf00f5152ca5f01c3982bbad4a3
SHA1 hash:
6b0a5c2b13e87c720c5725ab8e341f50583ab89b
Link:
https://www.unpac.me/results/0bd20c17-d2aa-4a38-924d-d5a384c4c32e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/831977a3dbdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1839753/
Cape
Cape
https://www.capesandbox.com/analysis/210158/

Comments


Avatar
zbet commented on 2021-12-01 05:05:54 UTC

url : hxxp://212.193.30.29/USA/Base300us.exe