MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 922486b752574377692f0c1220595bd1d2b5545e68d3e4442bfd54e1569606e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	922486b752574377692f0c1220595bd1d2b5545e68d3e4442bfd54e1569606e6
SHA3-384 hash:	5b12195834b70c0f511798085480df053caefff98960564b651c26dace11eb88cf1dddc618a8bfaad71966fd1d53e036
SHA1 hash:	e3fac6198f62d932718b4c8361b30af53ec07895
MD5 hash:	a7dfa85032951c4557637bf8827e9814
humanhash:	queen-papa-lamp-fifteen
File name:	a7dfa85032951c4557637bf8827e9814.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'698'480 bytes
First seen:	2022-02-06 08:29:23 UTC
Last seen:	2022-02-06 10:35:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep	98304:rgF54NPgLKuCydMcA/KmXrf84YMLR5ZuGP78LPQn:rA54tguJl9SiLuiALP8
Threatray	1'139 similar samples on MalwareBazaar
TLSH	T1EE0633D3ADC1ADDEDB0988742BB3F708B9E4F1B7D055DDA47A2D894A3278384E236414
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.219:34189

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.219:34189	https://threatfox.abuse.ch/ioc/374454/

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a7dfa85032951c4557637bf8827e9814.exe

Verdict:

Suspicious activity

Analysis date:

2022-02-06 09:42:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/660b2625-4a62-4178-941b-612897c63494

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/233738/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

DNS request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61ff8711ad4747e995053c96/reports/63d5ecb1-82f5-457f-acfc-5f4cce258b22/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a3a1a42-4955-4439-8448-74368fa38a9d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/922486b752574377692f0c1220595bd1d2b5545e68d3e4442bfd54e1569606e6/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-01-31 04:50:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sisinn2sk5bxo2jpbqjcawk32hjlkvc6ndj6irbl7vkocvuwa3ta._file

Verdict:

malicious

RedLineStealer

06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922

RedLineStealer

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

RedLineStealer

5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f

RedLineStealer

9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

RedLineStealer

c41ecbb533f6da059e2996cc5065805d2038ba4d0e670d57939b30b109bd6eba

RedLineStealer

c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb

RedLineStealer

c5b0b8b86878e2fda1194d28b3e2b6923541de1719f8b96975de34cbbc9aa537

RedLineStealer

cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de

RedLineStealer

+ 1'129 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220206-kd6g1agha5/

Unpacked files

SH256 hash:

6c01f4a94fe43f600ca5f8ece863fb9c6d6414e7a27f49b5583389a5333f0423

MD5 hash:

57bfee6b6faa7ab4565937ae4b696c01

SHA1 hash:

3f6d13ec9e8ffcb8abbaaca3ae744cbdc58cad5f

Link:

https://www.unpac.me/results/6c500f3e-6f7b-4ac0-a9a8-51ef3ddf70f3/

SH256 hash:

922486b752574377692f0c1220595bd1d2b5545e68d3e4442bfd54e1569606e6

MD5 hash:

a7dfa85032951c4557637bf8827e9814

SHA1 hash:

e3fac6198f62d932718b4c8361b30af53ec07895

Link:

https://www.unpac.me/results/6c500f3e-6f7b-4ac0-a9a8-51ef3ddf70f3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/233738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample