MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a
SHA3-384 hash:	13c60a37bc60659d62ac87bfad81f274865cbde34e1db01b104adcc48019c26a0356381d718f991d684d046786c9a265
SHA1 hash:	b6448213e1eb21d5c7a1fb98420944346aa841ac
MD5 hash:	021f3e473160aeef25289bae9d7df8e9
humanhash:	pizza-lithium-butter-three
File name:	021f3e473160aeef25289bae9d7df8e9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	369'664 bytes
First seen:	2021-03-28 21:25:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	22b05fbcc750246fc1a168b10e3a36dd (2 x RedLineStealer)
ssdeep	6144:IzwXO6m1IBbhECfqAtbIcESMdHmEKbUqHxM9Pb1CO7bkWHaB:BXOT1IgCS8ccsmEBqHqR1CM6B
Threatray	511 similar samples on MalwareBazaar
TLSH	1574E0217790D033D19626B94621D7B14A3EBC714B3553CB7B942BBE9F312E18A32B87
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://lordliness.store:40355/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://lordliness.store:40355/	https://threatfox.abuse.ch/ioc/5642/

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

021f3e473160aeef25289bae9d7df8e9.exe

Verdict:

Malicious activity

Analysis date:

2021-03-28 21:30:37 UTC

Tags:

rat redline trojan evasion

Link:

https://app.any.run/tasks/f23cb7ef-37b4-44c7-8cd6-82d7aeb4df4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/127391/

Detection(s):

SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL

Win.Malware.Generic-9847477-0

Win.Dropper.Ursnif-9847634-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d2db6a1-8c54-43c3-b563-076d529ee816

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/656274

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a/

Threat name:

Win32.Trojan.Mokes

Status:

Malicious

First seen:

2021-03-26 00:48:40 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rvimefgcribpcfpucfipqkpo4s7fvcvuhwod6woicwouqxewi5na._file

Verdict:

malicious

RedLineStealer

254f8a160343897dc3e748af2f4c2164455afe3daaa75654c0a7e13483a43f0c

RedLineStealer

3a77d697b35b9de741ac611c904aca942a17d4ac8f786f4f9b9532dec277a8f6

RedLineStealer

411c2e9854cd5405b206312a9645021c81b8ae0d1ed8c2752e67b17fd075a4d1

RedLineStealer

4ef2301fc3da6b681932cd7a7d32fa6a86800651976a1b9a847864a65f6234f8

RedLineStealer

807e65fc407c3d9f024b10e8cfb20c2e10ad067aa217fe97ec1b075c24dbc936

RedLineStealer

95c5c298a4e0b3a381d03d5c32d4bd420050aa6d4833a7aadf5607885a97ece3

RedLineStealer

b3c2ed1edebee42767277652dbdb2c3c17c3b33707c975b1679e956658701825

RedLineStealer

bef5636daa6cccce3b38d8d284de1cb1ad2cfb36cbcaede1c8f7478e706f1201

RedLineStealer

ce5bcaea5743241940863029bac94171057d34ad93faa432f158b0c1e50ecf02

RedLineStealer

+ 501 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210328-y2nrve9pdn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/a11708e3-1497-409d-81c2-fbfd4e82d0bd/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/a11708e3-1497-409d-81c2-fbfd4e82d0bd/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/a11708e3-1497-409d-81c2-fbfd4e82d0bd/

SH256 hash:

8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a

MD5 hash:

021f3e473160aeef25289bae9d7df8e9

SHA1 hash:

b6448213e1eb21d5c7a1fb98420944346aa841ac

Link:

https://www.unpac.me/results/a11708e3-1497-409d-81c2-fbfd4e82d0bd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127391/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample