MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef
SHA3-384 hash:	3d0620360d219f9f5accd7f305684709b71eb17cf7d83a9a2d88d780ba856f4bd512b3e4c1496151ca4f1574b4c385ce
SHA1 hash:	bad2230f9fecec05e2084c890f09baee7d6c0d94
MD5 hash:	02094a346651e3aef3b743191aa5e017
humanhash:	orange-colorado-october-hydrogen
File name:	02094a346651e3aef3b743191aa5e017.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	349'184 bytes
First seen:	2022-06-07 15:40:01 UTC
Last seen:	2022-06-07 16:42:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02ee03c23f6783b8d8f850cc4178358b (4 x RedLineStealer)
ssdeep	6144:95M8HSslbptGYoVAAOJs1d3UjxWic8S6YXQ7oYJPtfawMZUJPM:9G8HSslz83U1SYyytRMZgP
Threatray	6'405 similar samples on MalwareBazaar
TLSH	T10774AE143491C336C572D4310AF5B2389A3ABB360F551EFBA7A85F6ADF271D0AB30652
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	319b1f27a5a54f9b (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.142.122.179:36803

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.142.122.179:36803	https://threatfox.abuse.ch/ioc/663716/

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

02094a346651e3aef3b743191aa5e017.exe

Verdict:

Malicious activity

Analysis date:

2022-06-07 16:40:45 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a89ca3d5-c59b-42c5-921f-e0e9a8c6bc80

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277457/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.62859.21935.30940.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware packed

Link:

https://www.filescan.io/uploads/629f715d1fdbb8e83146e795/reports/29d3b3e7-47eb-42f6-bc49-a1b737d4c47d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e72f32f-4b68-4909-82f6-dd77eba075fd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1008349

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef/

Threat name:

Win32.Trojan.RelineStealer

Status:

Malicious

First seen:

2022-06-04 13:56:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmj7awxmcece4hcfkoscxbplyg6mblwrk3w7b2kavcqy4a2hbtxq._file

Verdict:

malicious

RedLineStealer

64004d7d52e9829b6498aa7e703f755278a6ac713c9c944f8bf5238a1e822c8d

RedLineStealer

8216e4c1977597afe01bb3c0a47631bd7608963a38ca6c396790fbf37d0fcffb

RedLineStealer

986b1e107fdcf5ba3eec492626b08ea3d4e2091931d10b196a11c790a6f43d0c

RedLineStealer

cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2

RedLineStealer

ee99ebb5242fcb97bf73e360b27a7cbc100483e46421b8af6676413fbda19a83

RedLineStealer

+ 6'395 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:3 infostealer spyware

Link:

https://tria.ge/reports/220607-s38mnaaeg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

45.142.122.179:36803

Unpacked files

SH256 hash:

58141d62a79bcd74c2d0d136928405e20cc4769e2f4ffacf540183f98eec8c98

MD5 hash:

9ff121f13342932a1a5acf24f2f9f5a3

SHA1 hash:

3047df4e5918d6aa4ef9e94686d515069dfc2047

Link:

https://www.unpac.me/results/4b131d99-ac99-4fa4-bfb5-972a3bdec902/

SH256 hash:

ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef

MD5 hash:

02094a346651e3aef3b743191aa5e017

SHA1 hash:

bad2230f9fecec05e2084c890f09baee7d6c0d94

Link:

https://www.unpac.me/results/4b131d99-ac99-4fa4-bfb5-972a3bdec902/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ab13f05aec11/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/277457/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample