MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a23edc8ced38a13512f37240c8dee007c7961aec410f0aaeb9f3f966a837eab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	a23edc8ced38a13512f37240c8dee007c7961aec410f0aaeb9f3f966a837eab8
SHA3-384 hash:	66724c4c64d0a2a96203e582ebecefef683094eec6d47dc1bb7e2aabd23ae16377882569e70cdc3f0e03508c89c0321d
SHA1 hash:	b89f304c3a45725432aba3b7a1d1b4509e2b02b7
MD5 hash:	ada3d85d8a093eb5978a1400ca08cb42
humanhash:	mississippi-carpet-fourteen-blue
File name:	a23edc8ced38a13512f37240c8dee007c7961aec410f0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'742'340 bytes
First seen:	2022-10-07 10:25:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7a688bd2f7775d0c8bac9f276c94cc5b (3 x RedLineStealer)
ssdeep	24576:Lvqy5c4JRuUnUCuY1Yq6n2uUiM0cdTLJlLayVpkIgjmaDTzJ0V0b+NcJLpiyITl1:LvLJRfnUzE3VpkIgj5TVY0b+NcJIl3l
Threatray	623 similar samples on MalwareBazaar
TLSH	T179C52B136A9B0D75CDD237B4A1CB633AA734ED30CA3A9B7FB608C43959532C56C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
88.119.170.234:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
88.119.170.234:81	https://threatfox.abuse.ch/ioc/872202/

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317575/

Detection(s):

Win.Malware.Redlinestealer-9973713-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41848/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/633ffebbdace43a378f449c8/reports/6aa4f076-1400-4156-87ee-19f4a9519de3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d1b90f7c-d0c9-4b1e-a1af-ea76ecffe258

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1085638

Signature

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a23edc8ced38a13512f37240c8dee007c7961aec410f0aaeb9f3f966a837eab8/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2022-10-07 10:26:12 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ui7nzdhnhcqtkextojamrxxaa7dzmgxmiehqvlvz6p4wnkbx5k4a._file

Verdict:

malicious

RedLineStealer

4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945

RedLineStealer

727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0

RedLineStealer

a755ddce5ccba523434a36c677d058baef63ecb90e33670a96a70efc7978d411

RedLineStealer

c62cf1352a697a30572caaed469cf5c6add3570cada2e4086e4effb14cb848c1

RedLineStealer

d4b8bb0d23cc76d722839af1760053357bc39708d9712af2a882019cbe696613

RedLineStealer

f7dbe640f31f8a9c00c0902580c04664a07d68d8453a3e7142691168c6fdbedf

RedLineStealer

+ 613 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1609 infostealer spyware

Link:

https://tria.ge/reports/221007-mgjhracbf3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

RedLine

RedLine payload

Malware Config

C2 Extraction:

b47n300.info:81

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6c264d0-6bbe-48ee-a83b-2e49bde82cf4

Unpacked files

SH256 hash:

5d2387098925499b65b00a542f0bd9ffa648e36f87b55ed7767551e60ce714dc

MD5 hash:

5fea25aec6bcaa2bd4096fb3409b9d30

SHA1 hash:

3aaf45fcb9a7d13fd265b2b7f2cd04508b7d8599

Link:

https://www.unpac.me/results/dbdbf95b-dce2-4e5a-9a39-a77e32ffcfc8/

SH256 hash:

a23edc8ced38a13512f37240c8dee007c7961aec410f0aaeb9f3f966a837eab8

MD5 hash:

ada3d85d8a093eb5978a1400ca08cb42

SHA1 hash:

b89f304c3a45725432aba3b7a1d1b4509e2b02b7

Link:

https://www.unpac.me/results/dbdbf95b-dce2-4e5a-9a39-a77e32ffcfc8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a23edc8ced38/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a23edc8ced38a13512f37240c8dee007c7961aec410f0aaeb9f3f966a837eab8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/317575/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample