MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e
SHA3-384 hash:	60e4903a50d501169edfc47339ce85dcc0230b7f4c62f5be9834b2ebb57b75400a0034757d1422afb8a0e97996d951ea
SHA1 hash:	1a264039db0cb247be29f5eb25f6e35b6a3dc109
MD5 hash:	8c6f22427dc27b742b1d7d25f4850a1e
humanhash:	king-island-xray-cardinal
File name:	8c6f22427dc27b742b1d7d25f4850a1e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	433'664 bytes
First seen:	2021-11-28 07:26:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	914248bf17d6f38c8d907a4836a02aef (2 x RedLineStealer)
ssdeep	12288:5nW++7bCRY4EyQgEDuxZUrfi7j4jvlOeipk:FW+uboEqBxmrf0QO
Threatray	3'419 similar samples on MalwareBazaar
TLSH	T15194CF14B7E4D038F1B712B89D75D368A93E7AA16B3890CF62D516EE5635AD0EC3030B
File icon (PE):
dhash icon	5412b2e068696c46 (2 x ArkeiStealer, 1 x Stop, 1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8c6f22427dc27b742b1d7d25f4850a1e.exe

Verdict:

Malicious activity

Analysis date:

2021-11-28 07:27:47 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6cac667f-154f-4841-8af0-2b68929ae064

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61a32f4abbfd2af97cb6daf0/reports/a528d2d8-52a5-4a74-9ddd-b75bf1eb57f7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4120ba44-e668-4da8-b09a-16c7f73972c9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/897292

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-28 07:27:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uz5b6vzubizovkphpgclvaklutqcmsxurdpka5nvac6m53eztqha._file

Verdict:

malicious

RedLineStealer

6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9

RedLineStealer

c292fd152f9c1e4d1a0b1c2a5dcaf9ef05b1c3f60494b184aafe471527458783

RedLineStealer

d1439d1a3c8bd8495a07ea2d22e4480b7cd837deb3b6c5576e98592de7f67996

RedLineStealer

d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718

RedLineStealer

+ 3'409 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix28.11 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211128-h948psgfdm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:21508

Unpacked files

SH256 hash:

5bd89ee7f2df3fe4851211902915f64481ca9033027c8c9a8dd975353f2b743d

MD5 hash:

48f22d0bb9b468815bd10d13d2e1472f

SHA1 hash:

e67d4bed1442a0d0df1a720a910fc273fa12a636

Link:

https://www.unpac.me/results/5640a2eb-e650-4998-8464-c5eb872d1270/

SH256 hash:

4b29f3663da43a2e033ab3ef73699c0d735be19c2d46e1677fd896421bc597af

MD5 hash:

098578b2e099cd4cc0bc6f1b074cd383

SHA1 hash:

81a5297f881601c8cc2cf0509914ba3a4f4afab6

Link:

https://www.unpac.me/results/5640a2eb-e650-4998-8464-c5eb872d1270/

SH256 hash:

fe936b997870362506bf5666052c64812f6a9a1244dd6783aaa176d418d20501

MD5 hash:

1da9187e406340a0b36d3d52ce2865b2

SHA1 hash:

1cafcc900e1e4108231acb68e8a33594b2841d21

Link:

https://www.unpac.me/results/5640a2eb-e650-4998-8464-c5eb872d1270/

SH256 hash:

a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e

MD5 hash:

8c6f22427dc27b742b1d7d25f4850a1e

SHA1 hash:

1a264039db0cb247be29f5eb25f6e35b6a3dc109

Link:

https://www.unpac.me/results/5640a2eb-e650-4998-8464-c5eb872d1270/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe a67a1f57340a32eaa9e77984ba814ba4e0264af488dea075b500bcceec999c0e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1817128/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample