MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088ce76d87085abf141fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088ce76d87085abf141fcd
SHA3-384 hash:	ac0cc69f9c5ab67950d4ca4bc9a6eff3e73a5634cccdfca68c491c772d429d601aa5f9cc65b84736dea17acd9c864772
SHA1 hash:	2665127fc9cf1c48f498213743e8025e30794d70
MD5 hash:	9bee0ff21240823ba04d171aeda06af5
humanhash:	minnesota-fanta-happy-september
File name:	a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	303'104 bytes
First seen:	2021-11-22 13:01:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	84e6accbe2ee6e92f38284e9b523500f (2 x RedLineStealer)
ssdeep	6144:cOmeAleawTrzCmp82B0rgc8p4+IIgSrSDsS1:czNl5wTrGmy2BfpgIgSEh
TLSH	T1A054F1017AF48271C0971D3214359AB15E7F3E327535828A7BA80B2DAFB17F08AB5B57
File icon (PE):
dhash icon	fcfcf4f4d4d4d8c0 (12 x RedLineStealer, 12 x RaccoonStealer, 3 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.92.73.160:46771

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.92.73.160:46771	https://threatfox.abuse.ch/ioc/252061/

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088.exe

Verdict:

Suspicious activity

Analysis date:

2021-11-23 00:20:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/18acb3a6-0654-4f50-a090-d3a811269173

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

lockbit packed

Link:

https://www.filescan.io/uploads/619b94cddd04e7d00e02382f/reports/853b787a-0119-42d3-927b-b0f9b1ecacd6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/101ee436-ef5f-46ac-abf2-5646409f5e98

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/893833

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088ce76d87085abf141fcd/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-22 12:20:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vcurx7erhrgy2bycvzefpt5wr5ugx3sfsieizz3nq4efvpyud7gq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211122-p889lafedk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.92.73.160:46771

Unpacked files

SH256 hash:

ed2166d58a5a9001c7c56e824f15b190f5c70e6f8542966cd297d8e0c810af90

MD5 hash:

702e5f5aee9cd04975a4e65e2ca4bef9

SHA1 hash:

f9840b7eb17dc80e987951fbecae2b722780f4d5

Link:

https://www.unpac.me/results/c7c6ac5e-22ec-462b-ac5c-f9cda3844935/

SH256 hash:

fc2aeaf5ccaab74ea61b71c8101449b459bc307b7214119333e14184629d0e0a

MD5 hash:

6f6d1e7ab58c2f8d5e99073e46dca295

SHA1 hash:

97ad74c2637098b39c8122386670e0a4d19c567b

Link:

https://www.unpac.me/results/c7c6ac5e-22ec-462b-ac5c-f9cda3844935/

SH256 hash:

59e32893fb2e9ddddebc58ce502ba423c0fcb8d9153c5c256c27b935e36930a5

MD5 hash:

d9afc3c15189ff71d0c6edf7d0ffa54c

SHA1 hash:

7b132040154b409568fc81bec99faeba4f46b826

Link:

https://www.unpac.me/results/c7c6ac5e-22ec-462b-ac5c-f9cda3844935/

SH256 hash:

a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088ce76d87085abf141fcd

MD5 hash:

9bee0ff21240823ba04d171aeda06af5

SHA1 hash:

2665127fc9cf1c48f498213743e8025e30794d70

Link:

https://www.unpac.me/results/c7c6ac5e-22ec-462b-ac5c-f9cda3844935/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a8a91bfc913c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8a91bfc913c4d8d0702ae4857cfb68f686bee4592088ce76d87085abf141fcd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample