MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979
SHA3-384 hash:	9bf27f24fceb2e1623726135407a0ed033a6e21b1f4bf0e2b1fd0a058d146370a4a19c84b584a2a11e937d3a17b73064
SHA1 hash:	4c0ae166c62db2b04dda186c16768a43567d464d
MD5 hash:	b3ef0a8b4062a8a34586ed6de01325b3
humanhash:	arizona-undress-pluto-ohio
File name:	99294105.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	944'640 bytes
First seen:	2022-03-24 06:00:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	24576:TalnZbK7zamfl+3Xz3oxukEaHNYK3r7oy3NVzLF:UZbkxfl+3X1Na1U6NVF
Threatray	1'909 similar samples on MalwareBazaar
TLSH	T1581533E7398E3A64C7CD3AB1E3EA6B8646C441F654C26407FA12984B7D314A7B33859C
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/257011/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/623c09250cd58dbd92e474c6/reports/ba65a414-e577-45bf-8898-eae1fde93962/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4c35e9c-6bbd-4c90-a42d-229d7afc41c9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963518

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-24 06:01:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvqucfnhaghlbj4nggvgvc3e2kjyvd5lonmkebkti5juuunoff4q._file

Verdict:

malicious

RedLineStealer

5d913dfaea341540468e089d54d3a903f95c3e177db7a4f8a96c91ae8e2bde9a

RedLineStealer

8188604aa4c33561057de2f9f8671e430fb6a3fbbfdbe22ea0e2d305852a3289

RedLineStealer

8e608482cad57e0b61c813e96639f62abd854f069f49d68807c966ccadc518d5

RedLineStealer

9156df2fc9b608331333b0c9c76ceabb43273ef011c59dcf0223b4151c90b9aa

RedLineStealer

a6522fbf7fde5fa0a9acd7eadffa6cd789c98d96a65b828e28df160f4fc047e1

RedLineStealer

ab71f5f7b1bc591d422c2e18011d52ef484d731eafaea337d17d3564da30ab1b

RedLineStealer

c28e96902c42e75cd27aa189c22686335108d21d5e3f7815174588cb4f4ca186

RedLineStealer

dfd82ea53bb1196fc2e079063358063b524142778c754259045e4541c60d7c1d

RedLineStealer

f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91

RedLineStealer

+ 1'899 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/220324-gqwlsadab7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.106.191.253:4752

Unpacked files

SH256 hash:

03bd686ca95a91f4ed6afbd6d7dbbe62a069878385108517c58ee7da2300ec3a

MD5 hash:

277eea35c3239d18d4800859d428f1e2

SHA1 hash:

116b1c8963ccf70bbe87fb68d7932f4f2b9ccdc1

Link:

https://www.unpac.me/results/4a62cf4a-0ec1-429c-a8b0-b5ebfa91402d/

SH256 hash:

f32bc3741eb4187fa9525e9c374f0e81f2d5e33b956e6a874fd35a21721c7279

MD5 hash:

3301c3967bec62b1c61b0bb64ccb1841

SHA1 hash:

68b69a85ff634181054bdcb91a1e801eb721cd41

Link:

https://www.unpac.me/results/4a62cf4a-0ec1-429c-a8b0-b5ebfa91402d/

SH256 hash:

a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979

MD5 hash:

b3ef0a8b4062a8a34586ed6de01325b3

SHA1 hash:

4c0ae166c62db2b04dda186c16768a43567d464d

Link:

https://www.unpac.me/results/4a62cf4a-0ec1-429c-a8b0-b5ebfa91402d/

Malware family:

RedLine.D

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a5614115a701/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/257011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample