MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59
SHA3-384 hash: e292f7d6e0a1394a15abcb0ee831800de685fd781ed28157288d33b04f1d13a0a10f425a896a87f73b78c987be772360
SHA1 hash: 094dbb9b071832b4531ca09c394e522690c33b92
MD5 hash: 9ee19661a2cd0b333f877563a29708d4
humanhash: may-carpet-alanine-illinois
File name:A78B5E96E936A31FCB952DB9EB67412582CE33DD95DB1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'548'125 bytes
First seen:2022-02-16 00:06:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:ObOwxwn+OFlrhRehDKR91LepSF9eDWikA4epxnb:VtfPLuSeDBkApjb
Threatray 6'176 similar samples on MalwareBazaar
TLSH T190C52302FD82AFB3E6A21C328918DB16B5FC72240F35D64B7BD64C59BA750E13221D97
File icon (PE):PE icon
dhash icon 30f0e8e0fcdcd3fe (3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.235.129.227:19866

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.235.129.227:19866 https://threatfox.abuse.ch/ioc/388105/

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241765/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/620c3ff1ac8ad0468b446635/reports/61da7ebf-4a51-4193-87ff-74b7dd5820ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f4329f3-8058-4d94-9b23-6d13ae38e548
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940490
Signature
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572968 Sample: A78B5E96E936A31FCB952DB9EB6... Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 5 other signatures 2->71 9 A78B5E96E936A31FCB952DB9EB67412582CE33DD95DB1.exe 23 2->9         started        process3 file4 41 C:\Users\user\AppData\...\oo2core_8_win64.dll, PE32+ 9->41 dropped 43 C:\Users\user\AppData\Local\...\build.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\Siticone.UI.dll, PE32 9->45 dropped 47 8 other files (none is malicious) 9->47 dropped 12 cmd.exe 1 9->12         started        14 GalaxySwapperv2.exe 12 9->14         started        process5 process6 16 build.exe 13 12->16         started        19 conhost.exe 12->19         started        21 chrome.exe 16 425 14->21         started        dnsIp7 33 C:\Users\user\AppData\Local\...\build.exe, PE32 16->33 dropped 24 build.exe 15 34 16->24         started        51 192.168.2.1 unknown unknown 21->51 53 239.255.255.250 unknown Reserved 21->53 35 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 21->35 dropped 37 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 21->37 dropped 39 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 21->39 dropped 28 chrome.exe 21->28         started        file8 process9 dnsIp10 55 185.235.129.227, 19866, 49856, 49873 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 24->55 57 api.ip.sb 24->57 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->75 77 Tries to harvest and steal browser information (history, passwords, etc) 24->77 79 Tries to steal Crypto Currency Wallets 24->79 31 conhost.exe 24->31         started        59 accounts.google.com 142.250.203.109, 443, 49774 GOOGLEUS United States 28->59 61 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49831 GOOGLEUS United States 28->61 63 14 other IPs or domains 28->63 49 C:\Users\user\AppData\Local\...\Cookies, SQLite 28->49 dropped file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-15 04:35:25 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6fv5fxjg2rr7s4vfw46wz2bewbm4m65sxnrd74xsarsbxqn5rmq._file
Verdict:
malicious
Similar samples:
0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50
RedLineStealer
4081406d27f30f1dd68fca09d23aa9db54af4ea4fccfa3c486c5aa31ff772054
RedLineStealer
452d3d97689e5c5fcfdb2cad360b5768fbb7fedd07166e4e5131844196d4ddb0
RedLineStealer
4e41b23135ccd630532e143f5b6d41ae6d050b284fceaef1ef959e2414cf7c9a
RedLineStealer
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
RedLineStealer
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
RedLineStealer
a045c1cc2b85a5106a89a970262a3ba07dc65d96573401f1f31b4f9867ba7130
RedLineStealer
b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
RedLineStealer
d98190863e8f53c385de8531ac7e5e89dc61cdaf17df688614ded12c24c78d31
RedLineStealer
dc8ddcd4db035fa647001a01cab6a2866d092fcaad18279835751ee0396da041
RedLineStealer
+ 6'166 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheat discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220216-adrzhabba8/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.235.129.227:19866
Unpacked files
SH256 hash:
5f796fa645c838ce779b5f3e6423003d5aa786602020a55683092371b3746269
MD5 hash:
77b98acd909432dad06d0d832d5c2611
SHA1 hash:
2f22e8d5d3b11ee48cfad450da56c1c12a914550
Link:
https://www.unpac.me/results/de204ab7-0bb4-456f-a6c4-06a69d250022/
SH256 hash:
a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59
MD5 hash:
9ee19661a2cd0b333f877563a29708d4
SHA1 hash:
094dbb9b071832b4531ca09c394e522690c33b92
Link:
https://www.unpac.me/results/de204ab7-0bb4-456f-a6c4-06a69d250022/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a78b5e96e936/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241765/

Comments