MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55
SHA3-384 hash: 541a23b9b6b4ba330cc89216399603cc0427ae62915fc96462b7cc6cc658ca3b9fd3dc88f52687ffb229456f0ef1f15c
SHA1 hash: 691c559c5635d0aa4876991ac6f4991ae34bc808
MD5 hash: bc7c9e9d6e7101889717dd43e7bf2103
humanhash: oranges-cup-seventeen-chicken
File name:bc7c9e9d6e7101889717dd43e7bf2103
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'614'480 bytes
First seen:2021-12-03 03:05:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc5a0b25e0a6ba28c2e5962511dad181 (1 x RedLineStealer)
ssdeep 24576:q2WuJrCAfYGN7gsWkGf8mygBqMIx3yn7E8ZGU:q23JOAfYGRikGfjLAMS3yv
Threatray 38 similar samples on MalwareBazaar
TLSH T13475A12BB7DC424DF9049839A082BA01EA1416D5BEFDF1E8DF7BAD473742CE4714A1A1
File icon (PE):PE icon
dhash icon 71e88e8e9e96e871 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc7c9e9d6e7101889717dd43e7bf2103
Verdict:
Malicious activity
Analysis date:
2021-12-03 03:08:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/34dd884f-09dc-44a1-9575-29ee822374fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210922/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/614/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a989664d8e6f3a5e0c3100/reports/4131bd2f-b162-4a32-9847-a28af15a751f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42b9a6a1-697e-44c8-81bf-f32810562cf3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900652
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-02 23:41:29 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
27e3dba2c9a650f67d7d14b0fcc6c49cbf71b995e555651736b10030804c31e1
RedLineStealer
36d1c7bd0d09f604463f4e5ed69d13242104989fcd38196acc9b20404ceb61b5
RedLineStealer
53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
RedLineStealer
ee0c781e4af18d8d80599abd9baa65861ff4920fee312b8af06d83fc91e9959b
RedLineStealer
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
RedLineStealer
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
RedLineStealer
+ 28 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211203-dk8sdahah2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
4eb2bf0a10eed70d09698b2aedf07da776fd3055bbe6726a912240fdf89c4b50
MD5 hash:
655593fe77621330efbc3b7f4401767e
SHA1 hash:
bb008b90e02040037455089dcec5f3e7cde50693
Link:
https://www.unpac.me/results/085d3aa7-c2b2-4453-91a7-152a45866942/
SH256 hash:
862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55
MD5 hash:
bc7c9e9d6e7101889717dd43e7bf2103
SHA1 hash:
691c559c5635d0aa4876991ac6f4991ae34bc808
Link:
https://www.unpac.me/results/085d3aa7-c2b2-4453-91a7-152a45866942/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/862bca412c4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210922/
  
URLhaus
https://urlhaus.abuse.ch/url/1846361/

Comments


Avatar
zbet commented on 2021-12-03 03:05:05 UTC

url : hxxp://5.255.103.37/myforum/uploads/310.exe