MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4
SHA3-384 hash:	e33b30fc0d47253962dc6e28d83379c130c60a5ed95b9feaa3bfc4a43f376104907f3f20d7c63ae90514a2326f101320
SHA1 hash:	5b2394b991441c54429d97b81c74cc73e2a0bbea
MD5 hash:	669fa0ba715518774ef16ecc9ba1dbe5
humanhash:	north-nevada-edward-black
File name:	21617261.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'136'368 bytes
First seen:	2022-03-19 05:03:16 UTC
Last seen:	2022-03-19 06:42:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61747f6f466078d67d1a5eafc213eb8f (1 x RedLineStealer)
ssdeep	24576:UJI3ZMKbpSsKNGI4oEy/VdT8oDSvCls2jDEc7az580NyNii50qmzkzWS:bZMggsKLVvVZf9DD7eN0CqmAp
Threatray	4'940 similar samples on MalwareBazaar
TLSH	T173353359D7090C3ACBE1E4F47C35533628AEF9EF825D472CAD2D193E985E1067720A8E
Reporter	adm1n_usa32
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	S-Data Swordfish ASWORDFISH-530I-Y 250
Issuer:	S-Data Swordfish ASWORDFISH-530I-Y 250
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-02-28T22:10:20Z
Valid to:	2032-03-01T22:10:20Z
Serial number:	1952defcfd938ca6480ae1c8a1b93fb4
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	9a273bf44468e2cacff5d55db5d20a9b27501ac442fd730fc7218fae0f2e932b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252890/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.26358.7817.29761.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62356446b94fb38cb4aa4340/reports/3e16ad84-aa06-4922-9678-49695650546b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f1098d8-ffaf-44c3-abf6-9a4321fb8c1e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960044

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4/

Threat name:

Win32.Trojan.Obsidium

Status:

Malicious

First seen:

2022-03-04 11:28:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979

RedLineStealer

6087cbea917f0062401149be475a2d9440d00ce2a962d3be3b16f26264729233

RedLineStealer

a2556ce4f6a53ac6e63f597e9fe1671bc3d65d6b0b2af5ff3824a890f99cd9aa

RedLineStealer

d048d1f750a42a6ec45af4ea95fa97161f5d69e178b5c8cd467ddb1bb2fd69a1

RedLineStealer

f9b3c57202c39c622292e553502c5713158dd7ac36548fe1daf6af6c56e9537b

RedLineStealer

+ 4'930 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@antisocialbrockenstupidboy discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220319-fqahwacceq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.21.5.58:48811

Unpacked files

SH256 hash:

2796df416ad05b758e96d19fe8fe5f4add26cc18ca131c37c619bd4c9015727d

MD5 hash:

c8504e0892a3abbb82f609b83c5e4f00

SHA1 hash:

ab4b1c4cea75670c9a0f9bdb014dad95b3e2e683

Link:

https://www.unpac.me/results/5be843d3-a7a2-451a-b5e1-ada943ab40b5/

SH256 hash:

a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4

MD5 hash:

669fa0ba715518774ef16ecc9ba1dbe5

SHA1 hash:

5b2394b991441c54429d97b81c74cc73e2a0bbea

Link:

https://www.unpac.me/results/5be843d3-a7a2-451a-b5e1-ada943ab40b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.86

Link:

https://yomi.yoroi.company/submissions/a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252890/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample