MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986
SHA3-384 hash: e8aae6b84c81ddcdf00f08262177a46ea3572948d468620c2b6a540191dd5b85464a3afdbf42abada6f898a47c7f99a3
SHA1 hash: 7728a0a844857f66c885e319a05a92bd90445bf6
MD5 hash: 9591fefb403773b5b0737af2cd7890f9
humanhash: carpet-sixteen-fruit-yellow
File name:9591fefb403773b5b0737af2cd7890f9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:404'992 bytes
First seen:2022-01-20 06:37:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 125adc129c50285a2cd4524417d3fdd8 (11 x RedLineStealer, 2 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 3072:THRyYLz3Gx2Y1tjfy/7FyXjO6fMze9kBIq/6c7ybDGNPNzn/PtOJ5ywY6KnBO4Up:rRyYLzC2Y167QwfBoXDuzFxFnBOv8Z
Threatray 4'456 similar samples on MalwareBazaar
TLSH T1E584E070F680D471C0D62530843ACFE45ABEBC74D865564B32A63BAAFF312D1667A21F
File icon (PE):PE icon
dhash icon fcfcb4b4b4b4d9c1 (6 x RedLineStealer, 3 x Smoke Loader, 3 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.111:1355 https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220870/
Detection(s):
Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4831/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e90326d32385db630d3b96/reports/ec2e245c-4807-4c9a-a66f-0c7493791584/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d41c7a49-b0f8-43c7-ac79-b8b86747ad80
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924008
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 04:33:18 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vga6egvmdhey4ethg7y772zoibamziaphe6uyou3obn27hpqbgda._file
Verdict:
malicious
Similar samples:
02a1be5f6bac2f03f8dc06a3b94f346ab67f18b70703b80d91ca47478f6d8c5f
RedLineStealer
0abb7a8a9e8ae8584f07303c705ae630899b394028e092b72594b3158b4cdc56
RedLineStealer
0e08cc4751863c2150282dae704864e2b80feb930314ee9b3db331ec8fc4043b
RedLineStealer
849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27
RedLineStealer
8a6b85587a7c87d3f2da53fd4570b961a8a3d606ba2f337bbe0ebe6b07c97989
RedLineStealer
a0e3df170ddc6f7fe8298743e0c158175b84c4605650361c51debe34a26a35fa
RedLineStealer
a2cac07f9147dff643d6a810b9370d8fc2551a692d95b378fcc7b3086c44193e
RedLineStealer
e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137
RedLineStealer
+ 4'446 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220120-hdgsjagder/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4482c8da1743ba343cbc1ce31d4286e658040e3da37de2b72e4169fd7249e8bf
MD5 hash:
925e4096edb29345423f418baf42d91b
SHA1 hash:
f9669495412c387eeb33575ae1a3f423d8857414
Link:
https://www.unpac.me/results/95504a4b-b19a-477a-8e67-ea9bb76627e4/
SH256 hash:
51cd6a24d9cd54284fcbe572515477e2ceb2c370c03b41f00db072ec2b279c3b
MD5 hash:
bbd385cd69cc12b32c4acd442be19d09
SHA1 hash:
a7dacfc795e53f9a668461dc025e6f4e135bc616
Link:
https://www.unpac.me/results/95504a4b-b19a-477a-8e67-ea9bb76627e4/
SH256 hash:
1439a02fef8a5a5cbc1e01085030e7e7a4a4bbb2c7a050c3f1d85b0aa87f4a66
MD5 hash:
ce925fb115d230044cf2992b463fd1e5
SHA1 hash:
8b62f961dc8089a2ea2d1f50139e7fbb884f12aa
Link:
https://www.unpac.me/results/95504a4b-b19a-477a-8e67-ea9bb76627e4/
SH256 hash:
a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986
MD5 hash:
9591fefb403773b5b0737af2cd7890f9
SHA1 hash:
7728a0a844857f66c885e319a05a92bd90445bf6
Link:
https://www.unpac.me/results/95504a4b-b19a-477a-8e67-ea9bb76627e4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a981e21aac19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849294/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220870/

Comments