MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb
SHA3-384 hash:	21a699305dd94e5187b33510e560893e8ce256347af70832416a5d3cc64948eac282a70870c73b37da9c24f2bf77698c
SHA1 hash:	f9df771dd53e6892c78397cedcfc728f75235f2d
MD5 hash:	98977e2f9c3f19f5481b7ecd8c238151
humanhash:	august-music-bluebird-jig
File name:	98977e2f9c3f19f5481b7ecd8c238151.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'962'640 bytes
First seen:	2022-03-23 19:51:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0f78032363a418160c8af5b309ffe105 (1 x RedLineStealer)
ssdeep	49152:+ntZ0q22l59ueeA5EuUvDAhh5vkroBJqvA00+:+tc2ZuP4U7AhX8kBUvA00+
Threatray	653 similar samples on MalwareBazaar
TLSH	T19795332A57E6C151C70BC03CD2579E369B60DB5B305C1FA5272AE49DCA93FBE3C62920
File icon (PE):
dhash icon	3070fec4a4b0c0c9 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.182.156.185:48571

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.182.156.185:48571	https://threatfox.abuse.ch/ioc/441616/

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

terSurvival_Beka.rar

Verdict:

Malicious activity

Analysis date:

2022-03-19 23:48:58 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/4c2c0f2d-e710-43f6-907a-b4ac25c50f57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/256840/

Detection(s):

Win.Packed.Obsidium-9942120-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623b7a8ab94fb38cb4db6819/reports/ccbe6d68-7f2e-4f7b-9f15-ca8c492de5c8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd591935-8b5f-4a2a-bd9c-9735e1fdddac

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963133

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-20 03:32:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 42 (59.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qun3u34txa7vesqzvfpnt7kplhiwhxr5qjpoe5qrjm6qhlranpvq._file

Verdict:

malicious

RedLineStealer

3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57

RedLineStealer

7b56c37bff2fcded39ac0a413320b1705c70c78d257a2f87327d759afa0c10f2

RedLineStealer

a74f9ed962019491f7d2995e4c03ace954c0d4bb81cddb3e79cedd58c40dc6f1

RedLineStealer

c2edd73c44beb4bae6d666109f793c0e246a1cc28bf868d10841023283d880d5

RedLineStealer

c4723b946e8913f59ccb64d9025440820124104c653c79023f09d28da35d0442

RedLineStealer

e29619d32a3af2ede7b4087ff3be84ccf8a61c5dbd801a90fe71288b0f136f82

RedLineStealer

f2b0706066fbc556ed73ab393d00db40a5cf1a0d4b2dc7647172b122b83fb919

RedLineStealer

+ 643 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220323-yleadafadl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7d763da6567c2e8ca4dfdac62b1ccacc9668bcb33592df995b960a868833c62c

MD5 hash:

ba18d1389c99eef4da16d90846aefc1d

SHA1 hash:

961a013ef0cc36f17e58bdc1362e4629248870ba

Link:

https://www.unpac.me/results/082f5646-3f85-497a-a274-cde648a81c31/

SH256 hash:

851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb

MD5 hash:

98977e2f9c3f19f5481b7ecd8c238151

SHA1 hash:

f9df771dd53e6892c78397cedcfc728f75235f2d

Link:

https://www.unpac.me/results/082f5646-3f85-497a-a274-cde648a81c31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	PowerTool Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerTool, sometimes used by attackers to disable security software.
Reference:	https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/256840/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample