MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa21dd823150655970bcd5479918ab211caefa12ea4888883bbcbef75faccfb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	aa21dd823150655970bcd5479918ab211caefa12ea4888883bbcbef75faccfb8
SHA3-384 hash:	352da451c6bb0c003bcd03cbf8c104d9940eb3414d1909367cfb7834d6d84ddaaf79a5f91694650fae9940b30dfacaf1
SHA1 hash:	7e8a80e7d77ad8510eef77304ddd5cd4b3ff99ff
MD5 hash:	a6229d52c29b3baab9bf6d803fa90a00
humanhash:	michigan-golf-wisconsin-florida
File name:	a6229d52c29b3baab9bf6d803fa90a00
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	424'960 bytes
First seen:	2022-05-21 05:06:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2be6f5e335599832250ce10d0c8ed52d (3 x RedLineStealer)
ssdeep	6144:g8N+t3OMqzfxOIk3Z3WJkaK4r6gju1NXXA6U630nmx4XTTQvPHaL6:g+UOtbxOBZ3WJa4ZuHA6tPxsQHv
Threatray	4'976 similar samples on MalwareBazaar
TLSH	T1FA94BF307A90D034F6B316F8457583A97D2ABEA3AF2550CB62D93AEE56356D0EC30317
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

366

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

a6229d52c29b3baab9bf6d803fa90a00

Verdict:

Malicious activity

Analysis date:

2022-05-21 05:08:47 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/bfe46df4-efb1-4194-8e6f-e33cb1b12109

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/273278/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19418/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed smokeloader

Link:

https://www.filescan.io/uploads/62887348eba388bb867e3dce/reports/28f34c22-3280-4da0-8a32-b23457c77e5b/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/853e04b2-55e0-4d77-951d-0ca3e3d75a75

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/999021

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa21dd823150655970bcd5479918ab211caefa12ea4888883bbcbef75faccfb8/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-05-21 05:07:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=viq53arrkbsvs4f42vdzsgfleeok56qs5jeircb3xs7pox5mz64a._file

Verdict:

malicious

RedLineStealer

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

RedLineStealer

7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e

RedLineStealer

8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d

RedLineStealer

e30916bb0f93ecd9ecc2e065e313c3d6933b7616208a88e91f6061d7cccdc309

RedLineStealer

e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e

RedLineStealer

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555

RedLineStealer

e7a690dae9484e6f3cf049e4d09f4a22c98ff9eaa2fd7f363630907ed56f00ce

RedLineStealer

+ 4'966 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220521-frzjdsaba5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

eb26648f1e6b0a2e1e0a88021c0b7ab62c687c1cae6d2b1760b1fbceeb2408ad

MD5 hash:

db9077526b3a3ff8749657c6b1b329d9

SHA1 hash:

6aba8f1763291e88783cb992a5e44cfca0881df8

Link:

https://www.unpac.me/results/245c9d59-6242-4180-98e1-cb5889c264a9/

SH256 hash:

588f4411103884021efa84dee24dbe00effadfe358250d0fec5fb02e6dda6d96

MD5 hash:

3e52defcd4517fc3a5c4f65226a3004b

SHA1 hash:

65e96cb9495b34e897bcddac3ef3450089f19d83

Link:

https://www.unpac.me/results/245c9d59-6242-4180-98e1-cb5889c264a9/

SH256 hash:

8bb0caa8f111512d3ebb4c5f427f287a8e69c7b465fef0e46e5741c7489a3d3e

MD5 hash:

b37cb4b6fd8f51e3f8919135227e3d0f

SHA1 hash:

4edea527bea1443ee4f51a5a612ac85274177992

Link:

https://www.unpac.me/results/245c9d59-6242-4180-98e1-cb5889c264a9/

SH256 hash:

aa21dd823150655970bcd5479918ab211caefa12ea4888883bbcbef75faccfb8

MD5 hash:

a6229d52c29b3baab9bf6d803fa90a00

SHA1 hash:

7e8a80e7d77ad8510eef77304ddd5cd4b3ff99ff

Link:

https://www.unpac.me/results/245c9d59-6242-4180-98e1-cb5889c264a9/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa21dd823150/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa21dd823150655970bcd5479918ab211caefa12ea4888883bbcbef75faccfb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.