MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89064913fd45e3e669524d0f0ec65d83e2f238f25d942ba7491dda853b279826. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments

SHA256 hash:	89064913fd45e3e669524d0f0ec65d83e2f238f25d942ba7491dda853b279826
SHA3-384 hash:	24cc8fb6ef99d2bb4db55a5f9427b78bc30a5fd380f0fb75d9c00f2f181ee068357402abe6f4000d93924f6f04195176
SHA1 hash:	039aa9303320ecbb671ebed96c40200705228ee2
MD5 hash:	91b80d727ddd4512e60ca369a4cc6034
humanhash:	item-kansas-november-oven
File name:	89064913fd45e3e669524d0f0ec65d83e2f238f25d942.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	260'752 bytes
First seen:	2021-07-14 11:11:06 UTC
Last seen:	2021-07-14 11:57:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:4qsF/tWNfLzIP0IR81hS+LfAsxMpHU4XcXW+:4H/8NfLzIP0u8bSgpxMpzqW+
Threatray	956 similar samples on MalwareBazaar
TLSH	T189448D98B7564509C6388531E0E3026807F3DECA72A2DF067AC639D50F733ED5E56E8A
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	ProcessInfo
Issuer:	ProcessInfo
Algorithm:	ecdsa-with-SHA256
Valid from:	2021-07-13T11:00:00Z
Valid to:	2022-07-14T07:00:00Z
Serial number:	9a625c30d1e40b9c
Thumbprint Algorithm:	SHA256
Thumbprint:	3173448a3a96f14557ac971b62ffe611cc519d3a41e5b18c93929b91d66dc9af
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
185.244.182.34:56068

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.244.182.34:56068	https://threatfox.abuse.ch/ioc/160383/

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

89064913fd45e3e669524d0f0ec65d83e2f238f25d942.exe

Verdict:

Malicious activity

Analysis date:

2021-07-14 11:12:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ef0d54c2-02d7-412e-a53f-9b35acebe1a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171634/

Detection(s):

SecuriteInfo.com.generic.ml.22496.25175.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e0e2f45-a9ef-401f-bbc9-2253b682b93d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816164

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89064913fd45e3e669524d0f0ec65d83e2f238f25d942ba7491dda853b279826/

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2021-07-14 10:29:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=redese75ixr6m2ksjuhq5rs5qprpeohslwkcxj2jdxnikozhtata._file

Verdict:

malicious

Label(s):

masslogger

RedLineStealer

20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3

RedLineStealer

2e641d4ca1ec2d70e05dcfea340e14375c20cc66dcb964c003a43a71ae8ea911

RedLineStealer

2ff7ffce923329f55bc637371e54822d6ceee9962c807ccc42e3301e0a8a2cae

RedLineStealer

43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

RedLineStealer

76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

RedLineStealer

b7a349a271b8a72e5f061347c5025b9f71672122cd648742aea6ccaf3f7b84df

RedLineStealer

bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034

RedLineStealer

f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041

RedLineStealer

+ 946 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:newbuilder999 agilenet discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210714-kzez58jlwj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.244.182.34:56068

Unpacked files

SH256 hash:

fb5135bd808203d08256a90511cfc1b025dd455881053c5194a9e06d6bdf1935

MD5 hash:

a9f89428c404d991dbe23bdf28ce140c

SHA1 hash:

898cae735efdc289742e8af4ef7a61d3280378fa

Link:

https://www.unpac.me/results/70d7fa9b-03b9-4d4a-9bc3-47691fb5bc41/

SH256 hash:

badb1fd83b556cb7267b04f72204de4fe837fe9b58cdda92cf818f5a440cc76c

MD5 hash:

d8c7842743c987224761dd72924a8621

SHA1 hash:

6720d1cc602bdb05ecad51ca3b68a19b51d0389f

Link:

https://www.unpac.me/results/70d7fa9b-03b9-4d4a-9bc3-47691fb5bc41/

SH256 hash:

89064913fd45e3e669524d0f0ec65d83e2f238f25d942ba7491dda853b279826

MD5 hash:

91b80d727ddd4512e60ca369a4cc6034

SHA1 hash:

039aa9303320ecbb671ebed96c40200705228ee2

Link:

https://www.unpac.me/results/70d7fa9b-03b9-4d4a-9bc3-47691fb5bc41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89064913fd45e3e669524d0f0ec65d83e2f238f25d942ba7491dda853b279826

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)