MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a
SHA3-384 hash: a5ad49a69c39ebaa0a17d3cfa3ef3950fbe8b80d36fb9c71ed0038b99660fa7fb4317a2c6209387fbc7e86b30743c6cc
SHA1 hash: 3038354d3a0db8fac7fd21d93ef67595d7a6451c
MD5 hash: deed0a52ca7cb4b4aea9f4d07b2885be
humanhash: sierra-florida-south-hydrogen
File name:deed0a52ca7cb4b4aea9f4d07b2885be
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:415'744 bytes
First seen:2022-05-22 12:16:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0588ee478c2f970a1d27d379ec7f0453 (7 x RedLineStealer)
ssdeep 12288:0ZytVkWAkllmBUDkK7dNRWXpsATdtUl+:ZD1AkShK7dNRWGApal+
Threatray 6'280 similar samples on MalwareBazaar
TLSH T10D94AF10FA90D034F4B7D5F84979826CB92E7DA1AB24A0CF22D53AEE56746D0EC31B17
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
deed0a52ca7cb4b4aea9f4d07b2885be
Verdict:
Malicious activity
Analysis date:
2022-05-22 12:19:29 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6f7b9015-114f-468b-8124-581418f43ebe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273432/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19536/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/628a29fe6eb3ff32631eea65/reports/d6e0bf96-ff2c-433d-939f-0ea9bfe67d50/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2607c386-0ed3-44f9-9778-f52ed26bc2a9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999330
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 12:17:10 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmulfj6dribbrotd54255vo6tsqfcscvi2o3wqykba7vxt6ynn5a._file
Verdict:
malicious
Similar samples:
04eb472779a21aaea0da53a19d85d756172b3bb387d91a07d43e907f296504d3
RedLineStealer
1a12ff0fc0c9ffc1d06b2f448eaa7ce816bfbc15614fb65c4157bd90e2fa4f88
RedLineStealer
39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2
RedLineStealer
5b1556fc720ead9f3505bbffa66fb38c1bd724fed4d09530a33e4b12cd300904
RedLineStealer
6347eda7821b2807e969568f9125af76656c78f222ccf221efa4b8b2a23adf0e
RedLineStealer
8e8f1b702c2fc78e020c6025ae7a9044512e8bca0af5c633dd21fecf2a7ecfd4
RedLineStealer
+ 6'270 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lyla2 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220522-pf13hsaac8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
185.215.113.201:21921
Unpacked files
SH256 hash:
f78ee6050322de3ea675fa81ab5d4f7ea0d1c92a2723cc3918fefbc170e67bed
MD5 hash:
fffb705283baf6c8c34533edc512f03c
SHA1 hash:
ed76ab37f40c043d1b3a5d92df8ff23dd662a7f5
Link:
https://www.unpac.me/results/6a68f4c7-53cc-4dfa-9048-1a3f24bbaee7/
SH256 hash:
9af23fa714b3a3011ff70f4b630cb1f538eab75de42e911fb6c5483757438e72
MD5 hash:
ef52cb6eba55c7ff5424efd7deb3916e
SHA1 hash:
dd5adf710f3de184823ddbe9568eb6c35324ed59
Link:
https://www.unpac.me/results/6a68f4c7-53cc-4dfa-9048-1a3f24bbaee7/
SH256 hash:
e5c0b3a94437fac397ff0592da8f17d26ff6661f77998cfc704898b5c5310ea9
MD5 hash:
6bf03e71a9b0b7d86021340f9c8ceebc
SHA1 hash:
01c52aef94e5c9d2062615379dee703a4f114536
Link:
https://www.unpac.me/results/6a68f4c7-53cc-4dfa-9048-1a3f24bbaee7/
SH256 hash:
ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a
MD5 hash:
deed0a52ca7cb4b4aea9f4d07b2885be
SHA1 hash:
3038354d3a0db8fac7fd21d93ef67595d7a6451c
Link:
https://www.unpac.me/results/6a68f4c7-53cc-4dfa-9048-1a3f24bbaee7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab28b2a7c38a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2206610/
Cape
Cape
https://www.capesandbox.com/analysis/273432/

Comments


Avatar
zbet commented on 2022-05-22 12:17:04 UTC

url : hxxps://incricinfo.com/6/data64_4.exe