MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f
SHA3-384 hash:	3cb482c0d3ab949b25288ca3b5dfe895ccd7de370e875f68271f250dba415eaafd08e4e612b2341544f49708d101da93
SHA1 hash:	bd79857682caa536166ab22e04857cd8d31a2cc5
MD5 hash:	a65d90694c40ff77b1aa150c3bd666b6
humanhash:	alanine-twelve-victor-comet
File name:	a65d90694c40ff77b1aa150c3bd666b6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	393'728 bytes
First seen:	2021-06-19 04:56:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	924d9a2d7cc05ebebcdeae3f0201835c (9 x RedLineStealer, 2 x DanaBot, 1 x Smoke Loader)
ssdeep	6144:sBELTwahlt/Z/nZeo54JsG334Gs+k48mUTV3BJkgXhOjO6xPYYBxkwnyvqStXxka:JLUahltx/nZKs08m6BigXwlnn4lR
Threatray	2'680 similar samples on MalwareBazaar
TLSH	D184AF10FA90C035F5F622F85AB593B9A52D3AB05B2451CF62D52BEE47346E0EC3271B
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
176.121.14.43:53999

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.121.14.43:53999	https://threatfox.abuse.ch/ioc/136818/

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a65d90694c40ff77b1aa150c3bd666b6.exe

Verdict:

Malicious activity

Analysis date:

2021-06-19 04:59:10 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0257250b-420e-4eec-86e9-5dcf56c99604

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166981/

Detection(s):

Win.Trojan.Mokes-9872775-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc35cab2-fd51-4828-b9f2-3139d75ac95e

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/804666

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2021-06-17 17:46:05 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uk2mqa5vxl7c4rbiz5dcxn4mc574ydaezj2gvataqiy35xchyipq._file

Verdict:

malicious

RedLineStealer

38be3ad05a6c425c48e00b37c6c98b2c8deba6f0183c87e512416f9c8e5f6434

RedLineStealer

65f74567c2faff6c1005d715a0525fac1844809a853006e3298a0834b804e188

RedLineStealer

95879907ceb15b10bbc4e9f303714e218e766d43ba4cba0bdea3748fc3de542a

RedLineStealer

9d11f500b8890bf54f7292f2bb7140cfaca114df492003a9633848300f94e713

RedLineStealer

a481ea6b643ad753a5538ec13c9f270e426e2a389c78ed9f48a0616f6a69ef4e

RedLineStealer

bdbff3e390c1994aa66169922985f28a2b5a647ec1af964cdc135286aed800a0

RedLineStealer

beef9882631d740d3cabb7ce14f299c1fc0e47e6cef65ff7e023ac4437d067f2

RedLineStealer

e87c87c4a26902bc8bbd9993162a98bfb67bb20f9b06cfc0084f5301bec9b816

RedLineStealer

ec835c15a9000e86553ebd1ec3a1cabee067cde9683b526e5dd09a276e1cd50a

RedLineStealer

+ 2'670 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210619-htdqdxnr6j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

82286412aaacb90839c33c173e9f45421fae1cae2a36b0fa1bee45eddc6006a7

MD5 hash:

9d038784c6c0cdbdd9d3ffecdb22ccc7

SHA1 hash:

a3cdaebee46550fc32eca5e23f6bff5e3f8d8179

Link:

https://www.unpac.me/results/4f53bce3-fb90-41cf-8d8d-d8dea9a8e788/

SH256 hash:

4d7dc5c07ec341f4bb923f25efcd77b782b576bd980fc33c7d3f9ad0d8e033a0

MD5 hash:

3bbdc75f879b00b0ebe7150d52677b24

SHA1 hash:

306e46901f654b193bcc3535fdeb674bc37141a5

Link:

https://www.unpac.me/results/4f53bce3-fb90-41cf-8d8d-d8dea9a8e788/

SH256 hash:

99b2709db59ef6756412614a412fea87b51376d4c2bbd15a720c107665b0131e

MD5 hash:

d809d0f47a47fc4d630a89895b05aa29

SHA1 hash:

13042d0467cd99d485adcd00c60206929eaa11c5

Link:

https://www.unpac.me/results/4f53bce3-fb90-41cf-8d8d-d8dea9a8e788/

SH256 hash:

a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f

MD5 hash:

a65d90694c40ff77b1aa150c3bd666b6

SHA1 hash:

bd79857682caa536166ab22e04857cd8d31a2cc5

Link:

https://www.unpac.me/results/4f53bce3-fb90-41cf-8d8d-d8dea9a8e788/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166981/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample