MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5
SHA3-384 hash:	cc25146fb0e4d416ade2df247295f9ff2810565bb1060621eaab7e994ed7d05c8e55fed7020350fb0fe77d090c6627ad
SHA1 hash:	08b864ba77fa6406942564d75922b3f54f9d35ee
MD5 hash:	88d84b94c84f68713c08e854d2f2a9ed
humanhash:	virginia-west-fourteen-kilo
File name:	88d84b94c84f68713c08e854d2f2a9ed.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	417'792 bytes
First seen:	2022-03-21 14:51:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d626a2a864a52e91dc5f85b5e98029ae (6 x RedLineStealer, 3 x Stop, 2 x RaccoonStealer)
ssdeep	6144:vk07sUQRvqtudxOXFWQR3d3F9b6g+W+GqFgkDnalTr+iH+qRgpnhTaGcoX:snUQMtZXUyNnbh+NGq6kDalTy8WUM
Threatray	5'820 similar samples on MalwareBazaar
TLSH	T12B94DF40B7B0D03DE5B712F879BA93AD742E79A05F2150CF22D66ADA16306E0DCB435B
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.28:4819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.28:4819	https://threatfox.abuse.ch/ioc/429003/

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5.zip

Verdict:

Malicious activity

Analysis date:

2022-03-21 15:04:26 UTC

Tags:

trojan rat redline loader

Link:

https://app.any.run/tasks/1b979be2-9d09-4bc6-b083-646f8d4a05ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/253639/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10127/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62389118b94fb38cb4c44914/reports/0a5f49fc-6e58-4b67-a377-b96fc7c689eb/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95dc3c86-7b35-45aa-8fd3-74f7e3d7d371

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960870

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-21 14:52:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uqurvahvqx3gcdiimbrjrbxxds22rffmjxfuvjb6xoyryqeymtsq._file

Verdict:

malicious

RedLineStealer

84089e99968bc4f076960814fe0d5cc4799dd692d5238960de74ea3e45d30e27

RedLineStealer

8e88a317b2a066bbf484f480b1d982880d3749a0ab5d33bab5de59bcaec22b5b

RedLineStealer

9628c80e4407f6bf7eca3f6400d1fa0316248cdafbc78e6dba4ea65a87f27829

RedLineStealer

a3f9d2f8201cd06a0a68841df40fba976c8b4ad6d3fd6ed067ced53507906911

RedLineStealer

a426c2090b8c2777661236aa54ce8eb143af9cc4c1aa8aa11261c6758a970921

RedLineStealer

debcda9c7b9d3d93a7bc542ed22f34f77e431518229e41779d1e8ccf5fc80b2e

RedLineStealer

+ 5'810 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220321-r8qtcsdah9/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.28:4819

Unpacked files

SH256 hash:

1f10a428ad956ba49f0a5fb85b30c7e4dce72601797bf464e66703aa9608687f

MD5 hash:

d2269a4f5e10d256af5cc054d4778aee

SHA1 hash:

7c88f0036628ce5a57e7bd1d663c3e34303a40ec

Link:

https://www.unpac.me/results/a46f281b-77f9-4157-be11-c6f2a3c737ce/

SH256 hash:

5a005f69f47618e180d003e13514bb60a10231211faebb8f34d6be5cdafe3ee6

MD5 hash:

286e67c65b270f2b8d35f96b692ad8a4

SHA1 hash:

72d9b2cfe3cadf100b67a7e3c766dc792a534ac1

Link:

https://www.unpac.me/results/a46f281b-77f9-4157-be11-c6f2a3c737ce/

SH256 hash:

fe18a39ffd7d23c1242038d9ddd4794ba2b292103106c487185ca517ea66c7ab

MD5 hash:

0838a8d1fcc2e8f575a48e43cceb1b60

SHA1 hash:

02f3cf211514da94be79d6fbd29b93f3c48caddf

Link:

https://www.unpac.me/results/a46f281b-77f9-4157-be11-c6f2a3c737ce/

SH256 hash:

a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5

MD5 hash:

88d84b94c84f68713c08e854d2f2a9ed

SHA1 hash:

08b864ba77fa6406942564d75922b3f54f9d35ee

Link:

https://www.unpac.me/results/a46f281b-77f9-4157-be11-c6f2a3c737ce/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a4291a80f585/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.