MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809
SHA3-384 hash: 32062984e9f9400fdf4c12f039996b46372da9d0e7ad72bf9c5fe5d8d2d8aee993c2ce91c69bf732616474aa3fc407b8
SHA1 hash: ff5c7d7ea7a8c616d5104b8334a479119489eeaa
MD5 hash: d1f6eb5442faa972aaf446916399a0a7
humanhash: minnesota-nineteen-eleven-queen
File name:d1f6eb5442faa972aaf446916399a0a7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'528 bytes
First seen:2021-08-22 13:41:19 UTC
Last seen:2021-08-22 14:51:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5f293e51015d9eef9ae7288b63a4f2b (3 x RaccoonStealer, 2 x RedLineStealer)
ssdeep 6144:DGoylM4Q/T/JX++5FwBE7EH2FSKt6DsVzBv1QW/tN:pKMnr/JVFwBf2EDsPN
Threatray 4'953 similar samples on MalwareBazaar
TLSH T10274AE3076A0C035E5F712F895BAC3B8692A7D71DB3091CB62D526EA26387E4DC31397
dhash icon ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.38.55.57:7575

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.38.55.57:7575 https://threatfox.abuse.ch/ioc/192588/

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d1f6eb5442faa972aaf446916399a0a7.exe
Verdict:
Malicious activity
Analysis date:
2021-08-22 13:42:38 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/58d9ccfe-6948-420c-80a0-8ccb4496eb0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181246/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.10550.11953.4365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP POST request
Sending a UDP request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57cd1d4f-c4bd-46f1-80a4-4445dc2f5d6d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/837053
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-22 13:42:06 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qo2iygpvrljijilgkoq6j2zjr4mnysunley7hjnubcufafiw7aeq._file
Verdict:
malicious
Similar samples:
363922782dedd54d93e3512861c92632143a4a0759fd0ab18b0daa312fb0308f
RedLineStealer
4e1f4798d90934bc4331147bd26f38692aa8852bdecb10ef55c07fdd03e5516b
RedLineStealer
680ebeb7b1d06535af0db69f6d6a07d0b399fb415fc22ef59c703b12ee90b6a7
RedLineStealer
6c4c2809dea982d78626947b812933dab8d80762e4aa02fd42b2d94fcd87956a
RedLineStealer
7b740416f963426fb589403d522cbac20d4d63aa7148268a3fa1046fefdc95a4
RedLineStealer
ad698d46fec403e18dc93296c77b24d178904e2e10bd278bcde09d6a8369e3ce
RedLineStealer
ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504
RedLineStealer
c21ae1f9f21b874f5640c6ad73b195dc03aeea29dfc7902307389d1d0a0dca63
RedLineStealer
fd0b0fa1ff8e771651b645b1d5841450c81b766372c2ef8118d5b5deb555bfae
RedLineStealer
ffea517f858fab40a7821d566836e62de3a673c622682ae97ccb832fcd00b020
RedLineStealer
+ 4'943 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210822-vt6gjannan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.38.55.57:7575
Unpacked files
SH256 hash:
a7cbe97a9a0e72247ac9adc920370ebd7047e930a6f29481070647a4e13f4388
MD5 hash:
b715cf592b142e2439ac04e4584ffaff
SHA1 hash:
ce0cab7f1fa7f6830e764edf164365f8357771b1
Link:
https://www.unpac.me/results/29516fb0-57c6-45d8-be45-9768057ab1ef/
SH256 hash:
02870ec80d34649f4babf75a5e25d5d9ff979a9d02af0d94f5ecffd43508c464
MD5 hash:
334daf946e36227115cea10d53386034
SHA1 hash:
3638569980e9911f7dbc59a613411d95521e5aa0
Link:
https://www.unpac.me/results/29516fb0-57c6-45d8-be45-9768057ab1ef/
SH256 hash:
1b25fdebbda332f7c6300aea2d7e3e0932674718187edda1aebafcc72b147b67
MD5 hash:
05ae28c772c4c22d5ba1c70d551c7675
SHA1 hash:
33964a9fd49845344786e35d6aba02593f356bc3
Link:
https://www.unpac.me/results/29516fb0-57c6-45d8-be45-9768057ab1ef/
SH256 hash:
83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809
MD5 hash:
d1f6eb5442faa972aaf446916399a0a7
SHA1 hash:
ff5c7d7ea7a8c616d5104b8334a479119489eeaa
Link:
https://www.unpac.me/results/29516fb0-57c6-45d8-be45-9768057ab1ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/83b48c19f58a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 83b48c19f58ad284a16653a1e4eb298f18dc4a8d5931f3a5b408a8501516f809

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1552803/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181246/

Comments