MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f072b7df206313f8960c85b00c2c47350d26e815f612961a53340a701f6b6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a2f072b7df206313f8960c85b00c2c47350d26e815f612961a53340a701f6b6d
SHA3-384 hash:	194ecd88b4895fd5ae19a342b65239040f76a868fdf997bc646dc900f2a4fcca91afbaf92d927c2a34952f32e416053e
SHA1 hash:	8838bc6b7a83af0418af05250ed5833d706c1edd
MD5 hash:	70d6205c52d0e3eb7ff3b225a357e345
humanhash:	blue-december-monkey-california
File name:	70d6205c52d0e3eb7ff3b225a357e345.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	417'792 bytes
First seen:	2022-01-18 21:21:35 UTC
Last seen:	2022-01-18 23:05:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	311ea42554ae3ae0114019c7e3754cbb (6 x RedLineStealer, 1 x Smoke Loader, 1 x Loki)
ssdeep	6144:67kXwadnWNL2LGdoqiqIdbXL8RG1aV4W4KlUYTTGaQ:64XdRWNuwo55u9TDrTyV
Threatray	4'269 similar samples on MalwareBazaar
TLSH	T1BD94E021F591C472C4912230482DDFE13ABEAC74D9749E0733A93BAD6F722D05A6639F
File icon (PE):
dhash icon	fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.10:39759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.10:39759	https://threatfox.abuse.ch/ioc/299070/

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

70d6205c52d0e3eb7ff3b225a357e345.exe

Verdict:

Malicious activity

Analysis date:

2022-01-18 21:27:29 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ad49a3ae-0e62-4171-8509-894282dc0892

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/220371/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.11070.12240.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4626/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61e72f7ef81da814af8d590c/reports/da585662-6509-4e43-97d6-835d7ffa784e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d19a88b-b1d6-467f-92c5-2047fb5d7faf

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/922871

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2f072b7df206313f8960c85b00c2c47350d26e815f612961a53340a701f6b6d/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-18 21:22:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ulyhfn67ebrrh6ewbsc3adbmi42q2jxicx3bffq2km2au4a7nnwq._file

Verdict:

malicious

RedLineStealer

61945cb0d37bfb32d2f818e6b118d9968213903e73570769eda83a4405c5d783

RedLineStealer

6c90a4a65b4d10539243734b9783c414e8a95501e1272e1ef1de6b0e284d5899

RedLineStealer

7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

a51ddfebbff6f4599a904655a5bac8e51234c4f7e9c3d2faa4cbc24f1f94ec3c

RedLineStealer

a78ca974527199f93fa840fb13ccfc1808fb5d8288fc717e9136f3aff43efeee

RedLineStealer

+ 4'259 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220118-z7wxzsddc9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

8e0b12340eb0e458e3ebcb8108f31b6c89d3f15ad8c64342101c19f8b6f20540

MD5 hash:

864e6a37eae03e58640045958f2ab0bd

SHA1 hash:

493c13e0320508a5310f94b05781f477fa2a6eb2

Link:

https://www.unpac.me/results/ceb509b5-9d46-47fb-8207-6e3d3c35a0b3/

SH256 hash:

d9ab4252d6f436ae3dc194706ea3b0c10e7d4769e03bf1b6cba511978ed54f00

MD5 hash:

d7e8c78d59106be59628de95abc8b333

SHA1 hash:

4299ec816112620d84863871bcb05ba4497e361f

Link:

https://www.unpac.me/results/ceb509b5-9d46-47fb-8207-6e3d3c35a0b3/

SH256 hash:

a22768933b793c6b748377c1e504162556640e03a4fb5f019f9f9d78ad17213b

MD5 hash:

a5c9f2963321f324d589ca200123ae7d

SHA1 hash:

13c59f6d15a749018962cd7f8c56eeffeca18815

Link:

https://www.unpac.me/results/ceb509b5-9d46-47fb-8207-6e3d3c35a0b3/

SH256 hash:

a2f072b7df206313f8960c85b00c2c47350d26e815f612961a53340a701f6b6d

MD5 hash:

70d6205c52d0e3eb7ff3b225a357e345

SHA1 hash:

8838bc6b7a83af0418af05250ed5833d706c1edd

Link:

https://www.unpac.me/results/ceb509b5-9d46-47fb-8207-6e3d3c35a0b3/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a2f072b7df20/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2f072b7df206313f8960c85b00c2c47350d26e815f612961a53340a701f6b6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.