MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
SHA3-384 hash: 3ba321d2ea7e04c02ad214b3dd73132db596e1048dbdc0fa48bb04bd4666d3473deb0e67dba00c659abae21831086747
SHA1 hash: 94ba747decbbf94c9d9fc3b37d5dcdf21b18cd4c
MD5 hash: fd31a706875501e007727cc9d274014c
humanhash: happy-jersey-quebec-aspen
File name:fd31a706875501e007727cc9d274014c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:411'648 bytes
First seen:2022-12-27 23:07:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f906f57bba5f798fc5f29ed19dfc58fe (12 x RedLineStealer, 9 x Smoke Loader, 2 x Amadey)
ssdeep 6144:cuLelMxDZ8GInqvhNVMiUAk/jHV3oi/HZ9UZdLaYon5Jk4eROw:jqlMx1tjhnMsk/zV3oiUdin5JF
Threatray 19'111 similar samples on MalwareBazaar
TLSH T11794E000A6E2DAD2F52206F86C2597D4152FFC994EA0D5DEB7043E4F2DB7388B8523D6
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fcfcb4b494949cc0 (13 x Smoke Loader, 12 x RedLineStealer, 3 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fd31a706875501e007727cc9d274014c
Verdict:
Malicious activity
Analysis date:
2022-12-27 23:11:10 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a1a6d6bf-227d-4760-8ebb-3b22e827282e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63ab7ad90e926711fd751510/reports/c67266a5-315f-4bfb-8efa-6892e34c4ef4/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6f5b77d-d0ee-4601-bc51-4eb30b739dd2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141811
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-27 23:08:13 UTC
File Type:
PE (Exe)
Extracted files:
80
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uksownb7eizk7e6f57ljizuppnsdle6izqys43hidv7jb5ngdjpa._file
Verdict:
malicious
Similar samples:
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
RedLineStealer
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
RedLineStealer
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
7d0cf513e727a365b0ba3423732dc98b7513da224738ad7140986951990204fe
RedLineStealer
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
RedLineStealer
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
RedLineStealer
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
RedLineStealer
b923e11ffd6c1e461cb1b1a51323cc2bf15396a7dfe739b41fa1fb33838cddc3
RedLineStealer
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
RedLineStealer
+ 19'101 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:shakur discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221227-24jvcsbh3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
10d89dc018c4f68c4de429d05553643fe51c13ead82dd5ffe77ca6ce3da0bb04
MD5 hash:
57e2dc37dcb1345f2eb161a54cec3e83
SHA1 hash:
f32b2dc4905b6f0bf9bf28376b58773ca6c79852
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a6a92dd5-6cc7-4853-b66f-6bb7a4bcdad8/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
5e19b7346f0bfad5eb4a9a942db22aba5be6ce7b6699b1304188090475565341
MD5 hash:
9a8d13fd329a1b399735e1f92a586aab
SHA1 hash:
da5fd282102baf2b3d91768d4303497fdb47bae6
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a6a92dd5-6cc7-4853-b66f-6bb7a4bcdad8/
Parent samples :
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
cd762a88c2abde591ec9d8a08b0d5d294d942a28085c88b47711e3650560a855
MD5 hash:
b32321503e273118774201c42a5b185f
SHA1 hash:
1d08f10d5f775a53a4b6d8f6a5547af1a279a002
Link:
https://www.unpac.me/results/a6a92dd5-6cc7-4853-b66f-6bb7a4bcdad8/
SH256 hash:
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
MD5 hash:
fd31a706875501e007727cc9d274014c
SHA1 hash:
94ba747decbbf94c9d9fc3b37d5dcdf21b18cd4c
Link:
https://www.unpac.me/results/a6a92dd5-6cc7-4853-b66f-6bb7a4bcdad8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2a4eb343f22/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2486082/
  
URLhaus
https://urlhaus.abuse.ch/url/2488613/

Comments


Avatar
zbet commented on 2022-12-27 23:07:38 UTC

url : hxxp://62.204.41.145/most/slova.exe