MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 2 YARA 9 File information Comments

SHA256 hash:	926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae
SHA3-384 hash:	2166c15a8c2e55003cd0e3cfd8ec4276a49120c717c56c665e67d6f9457c1379f158fcab5632b0f59f3d551b43daadee
SHA1 hash:	b3ab594e008a7507a3b5b103de156c27e1ecdbbe
MD5 hash:	7ed02ca6683bae4874c4c904866f2e96
humanhash:	high-sierra-ink-pizza
File name:	7ED02CA6683BAE4874C4C904866F2E96.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'186'304 bytes
First seen:	2021-07-21 20:56:10 UTC
Last seen:	2021-07-21 21:40:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:pXulNHDOADSqdlwLiI/Jr//VnY8IZPECKC0EQFbH3tNzvL3tHiDGYberXkk:pGjbXdlwZ/1/ZWNWh3tNzvL3/Nr0
Threatray	6 similar samples on MalwareBazaar
TLSH	T15C453397264E8101C65C76F364DDE89A2F24F750ADD53BB0934309ADCF8C686F9B270A
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.231.69.253:6677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.231.69.253:6677	https://threatfox.abuse.ch/ioc/161991/
http://185.231.69.253:6677/IRemotePanel	https://threatfox.abuse.ch/ioc/161992/

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7ED02CA6683BAE4874C4C904866F2E96.exe

Verdict:

Malicious activity

Analysis date:

2021-07-21 20:59:35 UTC

Tags:

trojan rat redline evasion stealer

Link:

https://app.any.run/tasks/54f9141e-4c58-4e13-adce-7c9ee7674cb7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173172/

Detection(s):

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c2ea7236-a0cd-4a35-b0d5-c4c309a999d3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819777

Signature

.NET source code contains potential unpacker

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2021-07-18 14:36:59 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjwrtah4zj2hsqqquetpv25mvxxldoa2gkhr2obfggkfw4b7rkxa._file

Verdict:

malicious

RedLineStealer

3d031ccd29e2ee2a59b640b2644b68121351917397bd6a9a0fd31b359e1c73bd

RedLineStealer

45e9959441e6e30c4c7a4dd8b3d56b88ad09d2ad253851ea79be62ec9c1c8f68

RedLineStealer

526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5

RedLineStealer

7ec599424a161fe942345c2336dd0cfb8c7d64e6e72b8e90efd999328b06cc04

RedLineStealer

ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210721-jmcm7nw4ea/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae

MD5 hash:

7ed02ca6683bae4874c4c904866f2e96

SHA1 hash:

b3ab594e008a7507a3b5b103de156c27e1ecdbbe

Link:

https://www.unpac.me/results/48e80ce2-8d6a-471c-9e2d-34271054e204/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173172/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample