MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9be9c226d1770430b003c7722d362a1d83d2e6896544826a1e4ad141a54d9865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9be9c226d1770430b003c7722d362a1d83d2e6896544826a1e4ad141a54d9865
SHA3-384 hash: 772b4d6171854610df7d791e2c4d7c205acd1e30d1a4dd35b9f96d5fe1d3ba21ba250dc4d7fddabf7491ea5551c34dbd
SHA1 hash: b8de0ccc5363fad357b7ef123298b05c87a2429c
MD5 hash: c4f4e2e9c897683510110592e08851aa
humanhash: alpha-colorado-winter-speaker
File name:c4f4e2e9c897683510110592e08851aa.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:441'344 bytes
First seen:2022-05-21 20:30:53 UTC
Last seen:2022-05-21 21:31:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db57d5e3d04b9a257784f752aaee46da (3 x RedLineStealer, 2 x Smoke Loader, 1 x RemcosRAT)
ssdeep 6144:FjAAjbGkGrrAU76meGsDccqMWMpI7HRiga3wVf:tAEbGksreGmHlW+I7H0
Threatray 5'601 similar samples on MalwareBazaar
TLSH T15094F182BF90DC34E0A22E3054A1D772577BB52266709547F790DBAF1EB3390CA7631A
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 5c595a3ce0c1c850 (5 x Stop, 5 x RedLineStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
141.255.161.70:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.255.161.70:81 https://threatfox.abuse.ch/ioc/623370/

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
PC_En-1652877624_setup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-18 12:58:04 UTC
Tags:
stealer loader redline opendir trojan rat phishing hiloti evasion
Link:
https://app.any.run/tasks/f64cfbd6-6eb1-4954-bf4e-ab39dffc00e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273327/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19485/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware packed
Link:
https://www.filescan.io/uploads/62894c066eb3ff32631b8ceb/reports/c8129419-8c88-4fc1-97db-96f29fe1d6bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeaaf502-3b2b-4c48-afd1-9e31adbe8873
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999154
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9be9c226d1770430b003c7722d362a1d83d2e6896544826a1e4ad141a54d9865/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 16:05:32 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
33 of 40 (82.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpu4ejwro4cdbmady5zc2nrkdwb5fzujmvcie2q6jliudjkntbsq._file
Verdict:
malicious
Similar samples:
0bc6fcf4a893f9381f6fee3773514a8d0dd6f35ba304a9c383bf82f62dfd34ae
RedLineStealer
3350b461fc9e5ee4a6495969d6d7e962e809db4150e7673a94d430a780d6481d
RedLineStealer
534eb8b43f3bec8e99eb7ae6f57ba7fe0ff8fdc3bfa11322cd4c875f50174cca
RedLineStealer
5503e87f42c7e3e3011bc3e590646dbfb2079c1fefd3d855dc0ab3356fdb1d85
RedLineStealer
ab9076d2fc3411897b5db85ac2c3c5fa791049b2f98b92dcf059fd0f48d4262a
RedLineStealer
ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48
RedLineStealer
d5d20876298dde3e49b0284b29f04b45d96f1d23b3a143aa1e22dfffaf8ad26c
RedLineStealer
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
RedLineStealer
+ 5'591 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:top discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220521-zan6wagedl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
iclarinyerac.xyz:81
manellylarii.xyz:81
Unpacked files
SH256 hash:
104aafb356ae494b0b2686a03e1852f0041cba7150c8d83c58d8f64c7d2c2952
MD5 hash:
c1c3bfa8e4c4a5234731bdb91d596780
SHA1 hash:
c61bc819179efbe7fbd535480a4942a46d108fdd
Link:
https://www.unpac.me/results/c1736e9f-feed-4119-b8f0-6b2d755930ab/
SH256 hash:
c7500f89b838c444074e709f1ace15d1583b69823e61e840e3d823a4770adb98
MD5 hash:
f0285045d29cf387a528823e103cc939
SHA1 hash:
809826d5dc377d55636f2a6d419ef81bdcaadd70
Link:
https://www.unpac.me/results/c1736e9f-feed-4119-b8f0-6b2d755930ab/
SH256 hash:
c33c59cbf5e520eda727e6366dbb8d1c14c1ecd80d3bb6a16b64f730868d0f88
MD5 hash:
775fee53b944dc79b42b0ebd7156fcf4
SHA1 hash:
6ea19afae200720f8cccaf7bf62cf05f4b332600
Link:
https://www.unpac.me/results/c1736e9f-feed-4119-b8f0-6b2d755930ab/
SH256 hash:
9be9c226d1770430b003c7722d362a1d83d2e6896544826a1e4ad141a54d9865
MD5 hash:
c4f4e2e9c897683510110592e08851aa
SHA1 hash:
b8de0ccc5363fad357b7ef123298b05c87a2429c
Link:
https://www.unpac.me/results/c1736e9f-feed-4119-b8f0-6b2d755930ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9be9c226d1770430b003c7722d362a1d83d2e6896544826a1e4ad141a54d9865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273327/

Comments