MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f
SHA3-384 hash: 300c62b9aa672f63ee33a242cf9378c47ac470f5a8b3f17434625eb11a326dbbad660e3bdf1bf2520b28d7bf3053b296
SHA1 hash: 8685459f6caefaae31f10cb1209c1af587595931
MD5 hash: 0080e3eec11f9fb5129e8597f2290fc7
humanhash: don-river-ten-thirteen
File name:0080e3eec11f9fb5129e8597f2290fc7
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:429'056 bytes
First seen:2022-06-04 02:34:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc4a7f3cd4507c474f64143d22a6168e (2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 12288:d+lH13koWS4a5Jo/ulN74NlHD1rXujNaN4Jr:d8H733o7j1+C4F
Threatray 3'473 similar samples on MalwareBazaar
TLSH T19694BF00BBD0C435F1F712F4597993A8B92E7EB1AB2850CB52D56AEE5634AE1EC30347
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
763
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-06-04 02:00:31 UTC
Tags:
evasion trojan socelars stealer loader rat redline ransomware stop
Link:
https://app.any.run/tasks/178fe95b-290e-48b2-9a29-54102e4a8475

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276598/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.62842.15854.21762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/629ac4e1e6995f3570093bc9/reports/fd186a97-da77-40ce-8316-ba9d18b54523/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/009085cf-45eb-41e8-af8e-9f840488e3de
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006586
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f/
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2022-06-03 21:45:43 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qq5ifwibvvtrvnhqgnsxycevjkbutl7zyd2z53minha2ck4c7ehq._file
Verdict:
malicious
Similar samples:
1d1b9bf21421307de579d650a5ebcfa0df585e27e2a8ce9fef7b3c352bb4c836
RedLineStealer
40848ff57e2fb3da6ff114bfb9ea13fb559162d4528136261f4f52296b4e76c7
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
c68962560934ff5b773428ce8a526719c78b8cbabe2e9e649a0bf832299e42a6
RedLineStealer
e079e6470d66d8e234fc2f36f401047fb00159ee8ff36fa1bc71a4f9d8f0e8da
RedLineStealer
e67a2b81bf50cd9aebc25271deb32bf15715d3f0a384489ff383d7e63e685d56
RedLineStealer
+ 3'463 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220604-c21bwsecg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.124.22.7:5241
Unpacked files
SH256 hash:
444dc895cad3f610b7db029c2af4642f73715dc18aefaaab2d0bf47296b307aa
MD5 hash:
d0abbaed3fb04c5c7071c4f4c6306d54
SHA1 hash:
d46fdfe13d2c0bf11d0c722be125fb08f26f07fc
Link:
https://www.unpac.me/results/d3ab6ad6-fc70-4a3b-a929-4fc4af0de5e1/
SH256 hash:
fe2a70a2d5d27fa4c68ba29db92c5105916fd74e8e203bfe3af5a1547943f0ca
MD5 hash:
fa89a649dd4fb1882ffe412b751918d7
SHA1 hash:
9e1396c34097eae59ae587057f8a33b7ed0acd6a
Link:
https://www.unpac.me/results/d3ab6ad6-fc70-4a3b-a929-4fc4af0de5e1/
SH256 hash:
ade8e12827491876dadb8171c6b94270eba336f4f78776cdbe227ad8eb55a716
MD5 hash:
d3d4f88979f28568537701e2947de2d1
SHA1 hash:
43a3c41fa3e010d2294065739a7fa0d43435bc00
Link:
https://www.unpac.me/results/d3ab6ad6-fc70-4a3b-a929-4fc4af0de5e1/
SH256 hash:
843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f
MD5 hash:
0080e3eec11f9fb5129e8597f2290fc7
SHA1 hash:
8685459f6caefaae31f10cb1209c1af587595931
Link:
https://www.unpac.me/results/d3ab6ad6-fc70-4a3b-a929-4fc4af0de5e1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/843a82d901ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/276598/
  
URLhaus
https://urlhaus.abuse.ch/url/2224116/

Comments


Avatar
zbet commented on 2022-06-04 02:35:04 UTC

url : hxxp://193.124.22.8/salsa.exe