MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560
SHA3-384 hash: 264b550816d71a698ddfd3dde78401c9bc317197bec106156e9fdb264d82aa9c172defb9fa43c9153e5c3ae80a0d5251
SHA1 hash: a6c17509260a712abaf33018e0ee162ce27839c4
MD5 hash: de452e5d7c842ac2c4a063a69a1a8294
humanhash: network-bravo-ceiling-hotel
File name:de452e5d7c842ac2c4a063a69a1a8294.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:416'768 bytes
First seen:2022-05-22 13:05:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0588ee478c2f970a1d27d379ec7f0453 (7 x RedLineStealer)
ssdeep 6144:iHZ+orXyHagWsBAZY/wGxkuIdfwISMpmP0C3uGoiM79OCWChevS4/AaAdk/z:i5jXKrWAkGxkndYsCulsCWTbYam
Threatray 6'320 similar samples on MalwareBazaar
TLSH T1C994BF107A90D035F5B315F88AB9C3ACB92DBEA1EB2450CB52E57AEE56346D0EC31317
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
141.255.161.70:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.255.161.70:81 https://threatfox.abuse.ch/ioc/623370/

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
de452e5d7c842ac2c4a063a69a1a8294.exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 13:07:31 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4aa2d9b5-6111-4989-943d-20f31700d360

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273440/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19539/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed pandora smokeloader trickbot
Link:
https://www.filescan.io/uploads/628a353c6eb3ff32631f0fcf/reports/44862dc6-52c5-4901-81e8-9e0768d96e93/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ebe1a2e-52af-4639-928d-b8714723430d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999342
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 13:06:08 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rop27csqfak4lcgffjzqnriz2risqiyop2llklo27zbcigorwvqa._file
Verdict:
malicious
Similar samples:
50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787
RedLineStealer
5503e87f42c7e3e3011bc3e590646dbfb2079c1fefd3d855dc0ab3356fdb1d85
RedLineStealer
5fd46b0d3207b06f1575d40854fc514235485cc242428f07d6b06b9b3081112f
RedLineStealer
ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a
RedLineStealer
ab9076d2fc3411897b5db85ac2c3c5fa791049b2f98b92dcf059fd0f48d4262a
RedLineStealer
c4a412a1fca86dda2d7bf0491bff6adec8584e45c4c17e03b4b073b1368a7f57
RedLineStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
RedLineStealer
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
RedLineStealer
+ 6'310 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:testtes discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220522-qb3afsdeaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
iclarinyerac.xyz:81
manellylarii.xyz:81
Unpacked files
SH256 hash:
b67b09dd39eb7564d4e371ef079e130bf6a4a3b40fe5b07d13887ed86ebe9790
MD5 hash:
c4695b9e7e84cad2b088d32e3d56c846
SHA1 hash:
e830742485a99bb1835c2976c5131a950367296a
Link:
https://www.unpac.me/results/3e149389-1c73-49e2-b1af-3db359e9cf9e/
SH256 hash:
70e485b6550d675818dc0d0831ad81e60a3ddc54649fb65f383ce4593f8721f7
MD5 hash:
b0f41845f56327c0d8c212c87b52c28a
SHA1 hash:
9de03bad3ab46c5f2267e01bca9552799a9907a3
Link:
https://www.unpac.me/results/3e149389-1c73-49e2-b1af-3db359e9cf9e/
SH256 hash:
c6fee715ea9e0466f0a877261c8968fc1f3c2e818116612c02fc36b04d74daad
MD5 hash:
22383dd856b6541c834f1234df28103b
SHA1 hash:
0b6cd27f0050dd46b262ca708772013370fc0706
Link:
https://www.unpac.me/results/3e149389-1c73-49e2-b1af-3db359e9cf9e/
SH256 hash:
8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560
MD5 hash:
de452e5d7c842ac2c4a063a69a1a8294
SHA1 hash:
a6c17509260a712abaf33018e0ee162ce27839c4
Link:
https://www.unpac.me/results/3e149389-1c73-49e2-b1af-3db359e9cf9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8b9faf8a502815c588c52a7306c519d45128230e7e96b52ddafe422419d1b560

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2206473/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273440/

Comments