MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932
SHA3-384 hash:	7d1188463495a9afe23a057f0d6528abee683b036beb4b59d15ec5ae51b4ff90caa30703deace498d968546b2bfed6cd
SHA1 hash:	54281aca074996bf0a66fe408440b69f2f66ccfe
MD5 hash:	021c61c9d1cac56e4ac63d60ce75f601
humanhash:	georgia-three-dakota-minnesota
File name:	a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d2659.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'040 bytes
First seen:	2021-12-18 17:42:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f46517a27dfd5e3e6128969b75b2086f (13 x RedLineStealer, 1 x CoinMiner, 1 x DCRat)
ssdeep	12288:sg6mkXjBtHZtry8fCjDX9D9RD93p+bwHirRcp:sgSTDHZtryRjDND93owK
Threatray	4'195 similar samples on MalwareBazaar
TLSH	T1ED84CF04B7A0D034F1B752F449BA93BCB53E7AE16B7891CB12D526EA4A386D0DC7035B
File icon (PE):
dhash icon	2dec1378319b9b91 (22 x Smoke Loader, 16 x RedLineStealer, 7 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.247:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.247:11452	https://threatfox.abuse.ch/ioc/277407/

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2530/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61be1da88991ba72b38b8a40/reports/86489207-3c71-4b29-beca-616f205fba9e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1927d6b-ed51-4b72-84e7-a6e7c2a8d96d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/909632

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2021-12-18 17:43:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ucia6zxawz5splse2uoewp56gzludq6d2jszkg6xeu3kv7tqleza._file

Verdict:

malicious

RedLineStealer

4af6c10f95107cb0721dc162cc6e3f13ec9fc8e50ab7aba4a3f3a7a40fe36826

RedLineStealer

4ee947c64c25248011ad7d043d257978b1bf9d1c376e7e25a9d332a5e0af8a27

RedLineStealer

6fe38f5b9a96dcd56ee5653030f5fa73fe8653a42ed4a5bf5a12ed916725ab6c

RedLineStealer

a28f90a3f9e95a92d214da6f6e1599ffe38b9481ecd28aa14f8b74160e60c436

RedLineStealer

+ 4'185 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pablicher discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211218-waka5sfde7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.247:11452

Unpacked files

SH256 hash:

cfe09eb76e227adc4521e3fdb42f949b0530472a56cf7ebb224c276dcf8a78f1

MD5 hash:

3750e956c43ab9711ad26be3fefe6cad

SHA1 hash:

ae6694b0b9fe6662483c8214b6de88e289684727

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

29d97547e4029fa7e4f9ce6905e667d991afd9757cfc9a8ba928d26bbae6f11e

MD5 hash:

4dea2a653f73688bf59123962181ece1

SHA1 hash:

38977b2e6e1d86c14c9742d232eb7103fc1ce1ef

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

98ffb8fd3ca680f494e13955f68bc096546c0952e80d19b586620fd5bea38804

MD5 hash:

f36f7d41d466e0db0510f41045b4b1b1

SHA1 hash:

e662acfd8a902fbefad40dd51c3cd021b23fcdb0

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

98ffb8fd3ca680f494e13955f68bc096546c0952e80d19b586620fd5bea38804

MD5 hash:

f36f7d41d466e0db0510f41045b4b1b1

SHA1 hash:

e662acfd8a902fbefad40dd51c3cd021b23fcdb0

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

cfe09eb76e227adc4521e3fdb42f949b0530472a56cf7ebb224c276dcf8a78f1

MD5 hash:

3750e956c43ab9711ad26be3fefe6cad

SHA1 hash:

ae6694b0b9fe6662483c8214b6de88e289684727

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

29d97547e4029fa7e4f9ce6905e667d991afd9757cfc9a8ba928d26bbae6f11e

MD5 hash:

4dea2a653f73688bf59123962181ece1

SHA1 hash:

38977b2e6e1d86c14c9742d232eb7103fc1ce1ef

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

98ffb8fd3ca680f494e13955f68bc096546c0952e80d19b586620fd5bea38804

MD5 hash:

f36f7d41d466e0db0510f41045b4b1b1

SHA1 hash:

e662acfd8a902fbefad40dd51c3cd021b23fcdb0

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

cfe09eb76e227adc4521e3fdb42f949b0530472a56cf7ebb224c276dcf8a78f1

MD5 hash:

3750e956c43ab9711ad26be3fefe6cad

SHA1 hash:

ae6694b0b9fe6662483c8214b6de88e289684727

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

29d97547e4029fa7e4f9ce6905e667d991afd9757cfc9a8ba928d26bbae6f11e

MD5 hash:

4dea2a653f73688bf59123962181ece1

SHA1 hash:

38977b2e6e1d86c14c9742d232eb7103fc1ce1ef

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

30dac753433596324fe871aed555470f59019a70faf2f4262301ea6cbb38726c

MD5 hash:

d14624539d5115cfffbca2eebdcf0e12

SHA1 hash:

6d7ff16cf5929c4073473473cd413c7483cb3f20

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

SH256 hash:

a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932

MD5 hash:

021c61c9d1cac56e4ac63d60ce75f601

SHA1 hash:

54281aca074996bf0a66fe408440b69f2f66ccfe

Link:

https://www.unpac.me/results/9c5efef2-c8b9-4124-a5ae-74af6638a32e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample