MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7
SHA3-384 hash:	37ea78afbfa410d77a7f2ac8a9a9747e5890dfc97ded7338bc9f1b49953998c80be6b5bf6f8a9cea1981c8c17909cdc3
SHA1 hash:	a8ffdbacc1350d06b45e01719985acba330f7d0a
MD5 hash:	ba62de22db1dda8df7401fcd9455b812
humanhash:	shade-quebec-pip-vermont
File name:	invoice.jpg.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	513'390 bytes
First seen:	2021-03-23 18:36:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	6144:jjT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAWkPgSibXRXH2kKt7:jRZ+IoG/n9IQxW3OBseVPtibXRXH2jN
Threatray	528 similar samples on MalwareBazaar
TLSH	55B4AE02F98054F2CAA11F7145366E30593B7E203F34FA9F9798792A9B331D1A631B67
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://2.56.214.233:3214/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://2.56.214.233:3214/	https://threatfox.abuse.ch/ioc/4747/

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invoice.jpg.exe

Verdict:

Malicious activity

Analysis date:

2021-03-23 18:59:20 UTC

Tags:

rat redline trojan stealer

Link:

https://app.any.run/tasks/f22ed250-f819-4949-b28f-73c579e55efe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/126975/

Detection(s):

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Launching a process

Creating a file

Creating a process from a recently created file

Sending a UDP request

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/023cc9d8-72cf-4492-aec4-1410109219c9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/650612

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Binary contains a suspicious time stamp

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2021-03-23 18:37:06 UTC

AV detection:

20 of 48 (41.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qr6qjqqlvxdjx6dwc4qe6ufyvmfeygbxizqclroo7qivk2nvqhdq._file

Verdict:

malicious

RedLineStealer

28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd

RedLineStealer

4824693d37ee0c444b89e21a2ae1cba396927f299e88751759635b2795c1bc96

RedLineStealer

5cd8924328a7410215c895cd0de484846df13d583e15650ded75ba62b88c17d0

RedLineStealer

7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc

RedLineStealer

7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4

RedLineStealer

8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c

RedLineStealer

83591d8a19e792f771276deb5ed430ab1192b51f605a9ca7386161eaf520d0fa

RedLineStealer

85f68c16519e6f833c593ed0e6b735366c061bb808c6228d730b48e3f025a9a5

RedLineStealer

a80220c129dabdfc9a8159b120994e4e8a21b8c7a4709b8c6df717401d7b3924

RedLineStealer

+ 518 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210323-gxspmvdcv2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

RedLine

Unpacked files

SH256 hash:

847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7

MD5 hash:

ba62de22db1dda8df7401fcd9455b812

SHA1 hash:

a8ffdbacc1350d06b45e01719985acba330f7d0a

Link:

https://www.unpac.me/results/5fb04d15-85c8-4d4c-80f0-dcf96b5cba60/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/126975/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample