MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb
SHA3-384 hash: ce2f889cf380555cb3fe15df768dd939bbfccc5e05a51685e2ff219e99abf1b71d77f7db527242f56edfe0432e3c7065
SHA1 hash: ebc0316b53f68ee2f71d9c07aaf10436d9401816
MD5 hash: c39f7d21aabffec2e14e7484ed6afe03
humanhash: mexico-crazy-table-five
File name:c39f7d21aabffec2e14e7484ed6afe03
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:375'301 bytes
First seen:2021-10-15 09:36:36 UTC
Last seen:2021-10-15 11:18:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e2cb00668936ef8a66a623b516f5f70 (2 x RedLineStealer, 1 x DanaBot)
ssdeep 6144:/+1fYzo2YFtv7XfkLR55Q+ONHlyj/tftlyooBg7eV:Gn9v7XcV5G+Odlyj/tDyoom2
Threatray 2'754 similar samples on MalwareBazaar
TLSH T13184BF00B7E0C034F1F752F846BA9278F92E3AA1A725A1CF52D516EA9734AD5EC30357
File icon (PE):PE icon
dhash icon e072600da0c4e4dc (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c39f7d21aabffec2e14e7484ed6afe03
Verdict:
Malicious activity
Analysis date:
2021-10-15 09:40:21 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a8bbe272-231b-4a9d-9870-be083e506110

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197731/
Detection(s):
SecuriteInfo.com.Packed-GDTC39F7D21AABF.7050.5845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61694bc09fb4d8593d65dd0f/reports/622f434c-1562-4ac6-afc2-b8e9388e4ab0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c84d7ba0-4e45-4e96-b519-0596fe506a3e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871064
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-15 09:37:05 UTC
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi4a2urzztyebgmt67h3jqrulurwj43zkomn4ahklmw3q3u2fs5q._file
Verdict:
malicious
Similar samples:
147a81a818e41f31acd78476ad65f7e59ff3c3bbd85626d91456838c8acacd11
RedLineStealer
319d10acfc388b91ab59503ab0d16ca888abaf05fa8e6ba4b1f7a34a61228b5f
RedLineStealer
5cdca6838044c712d83b192f693ae6da288d6cd065f431014f5569cbbe20b589
RedLineStealer
5ced62a4d85fd3bd2eaa51c44e5b08c4f57672de89782fc8a002172db3e8ed2f
RedLineStealer
93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23
RedLineStealer
dc0a6070aa94dcdeb01ddc73b7d368d4be7956e9edb3b193a409bb3bdb3094fa
RedLineStealer
+ 2'744 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:shop discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211015-llhataagd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.107:46187
Unpacked files
SH256 hash:
ea9938c25e74408b2038640d2d4154f5ded06314d4a727181f22e24a392c9e4c
MD5 hash:
11a0707c7a7d5452e821f6a3a965ce70
SHA1 hash:
fa13564dc1f2f1d383713286b2006d0d61acfa59
Link:
https://www.unpac.me/results/1a00f33d-7c80-44c9-bf51-fcbd005841ba/
SH256 hash:
088a4a44c91fcc1582f6b85d40a1bf42d5ae7753dd9e23ff8b481ae920843c66
MD5 hash:
b23523c1f7d4ac26f063a956afc61b42
SHA1 hash:
3ea6b7d060779c8b9709c9460c07e66a79bba7cc
Link:
https://www.unpac.me/results/1a00f33d-7c80-44c9-bf51-fcbd005841ba/
SH256 hash:
d47ebe96ad469dd6c5c02709536e9578696070dc3f206f7a2e7b026fd2b24be8
MD5 hash:
4552089bf168eeeb8fbcb9ce22568228
SHA1 hash:
22959818ee808c5623657720524bda0141552166
Link:
https://www.unpac.me/results/1a00f33d-7c80-44c9-bf51-fcbd005841ba/
SH256 hash:
aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb
MD5 hash:
c39f7d21aabffec2e14e7484ed6afe03
SHA1 hash:
ebc0316b53f68ee2f71d9c07aaf10436d9401816
Link:
https://www.unpac.me/results/1a00f33d-7c80-44c9-bf51-fcbd005841ba/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aa380d5239cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197731/

Comments


Avatar
zbet commented on 2021-10-15 09:36:37 UTC

url : hxxp://45.9.20.107:7768/BUD.exe