MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7
SHA3-384 hash: 3e3cfcd2c756735dc9bf9e264c519bcb8cc6bd22d8d07d3b0d20cc9588c335aa59662951aef7f58ec8074ecdf4f7a426
SHA1 hash: e6038ac9324ee7aa092ab754c48a5d97983d5319
MD5 hash: 1ca5f33ffb87f631cf17e4fcd06eafc1
humanhash: black-wyoming-king-bulldog
File name:1ca5f33ffb87f631cf17e4fcd06eafc1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:369'664 bytes
First seen:2021-09-25 06:50:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 968069613992074265463fec272c56c9 (15 x RedLineStealer, 6 x RaccoonStealer, 2 x Tofsee)
ssdeep 6144:52b7z0RjfglbbQLgqMLoujb4iz9coRdgQe1bIXAhkf:52b7ejfgl4LCLFj9gQe9IXEkf
Threatray 2'966 similar samples on MalwareBazaar
TLSH T11674C020B7E0C039F4B702F659BA87B9A52D7AB06B3880CF63D516EA56746E4DC30357
File icon (PE):PE icon
dhash icon aad8ac9cc6a68ee0 (34 x RedLineStealer, 14 x RaccoonStealer, 11 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-09-25 00:45:52 UTC
Tags:
evasion trojan opendir loader rat redline stealer vidar danabot
Link:
https://app.any.run/tasks/1f57e103-187e-415a-8ca4-9978176c21d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191319/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.25286.15261.19254.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0e9ebc1-9094-49cb-abc0-eb1b57bfe8ba
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857783
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 00:43:38 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sirjl7eogwymiaiz7fs24t47acsnlbpmb66m2fgdjngbupybftlq._file
Verdict:
malicious
Similar samples:
0daafaabba4b9e232439faf36b2cccca8a4b8e6f7184fef5d5bb5678eea45e4e
RedLineStealer
2845a0336311d26575009dd5532c52b55c6f245bf81d7b44850a0418375dd32b
RedLineStealer
469a627980ff4878cd3f05a8f6e9261ea3d7ba9bcf53a512d646852889ff056f
RedLineStealer
46e9e160b1efdfc217e3640533c272b98678d2f3ee3d128100857da769b5d658
RedLineStealer
5c6ce925956ff002d7f3f533d18cdd06384f8d48998c49a9bfec4ce490971f14
RedLineStealer
92b39a0fdb659fb016015007629a7054bf8417898d6cecb1a097c08e580991ff
RedLineStealer
ad17a4a332b35781afa976739ae6925a7d968d68657b8f3882c55d3b82891cbc
RedLineStealer
c4d603632e2899f6542261b071867afe9b0edaa59f65b578fd4b26d2545ae779
RedLineStealer
c8b5d2344649034adbf12d74aaffcdc35ff13c2398acce155fc6e79d42f49dc7
RedLineStealer
df1f97bc36b16e89492eac798745c9427681c448aad6bc5398cb32d1f3c96891
RedLineStealer
+ 2'956 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix25.09 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-hmhfesafc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
72a5b36978348ef7968de4fe0e26a714340e6d5be85240d6341a8310ca3ce7a9
MD5 hash:
4d4897170aa1a29a3d48ec13b3a7ddf8
SHA1 hash:
8ee59c320876d082e08668e8ac8c4cb21deb05dc
Link:
https://www.unpac.me/results/d7526041-e0f3-4eb8-86ec-4244b0491ac6/
SH256 hash:
8a10b04a69ea4f33033ee69135b8374c088890182e22323cf94dfff07a553a0c
MD5 hash:
6439f6e0bbe43e9b9bedafef50cda885
SHA1 hash:
5773f482ac7000e5c61486765f6b6f5a3ac0fefa
Link:
https://www.unpac.me/results/d7526041-e0f3-4eb8-86ec-4244b0491ac6/
SH256 hash:
ea36321ec338a2d48c296a3f5432eafd05b756281f57ee7a2304c99a7b3a1a97
MD5 hash:
d4b3271d26d832377840fbacfb3971d8
SHA1 hash:
33bf6e59baf3421f3d1ec79ad6123726f833bf1b
Link:
https://www.unpac.me/results/d7526041-e0f3-4eb8-86ec-4244b0491ac6/
SH256 hash:
922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7
MD5 hash:
1ca5f33ffb87f631cf17e4fcd06eafc1
SHA1 hash:
e6038ac9324ee7aa092ab754c48a5d97983d5319
Link:
https://www.unpac.me/results/d7526041-e0f3-4eb8-86ec-4244b0491ac6/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/922295fc8e35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 922295fc8e35b0c40119f965ae4f9f00a4d585ec0fbccd14c34b4c1a3f012cd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638129/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191319/

Comments