MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1
SHA3-384 hash: 6a9f27d6e0b32fa7e58b68786f39cd82fcfd16ea79f16d3fc725c8f77e54de1d52657c49164043267fe5122b3bbeaee3
SHA1 hash: 2a2d4e6c10a28a4cbad37ac66f647143b03df62e
MD5 hash: 6fc69715ac4c5622d71da0c7787f3c3b
humanhash: solar-three-don-queen
File name:6fc69715ac4c5622d71da0c7787f3c3b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'048'328 bytes
First seen:2022-03-03 09:11:07 UTC
Last seen:2022-03-23 21:14:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 98304:7k5KokIGjifuHc0Jil2TZKax9dCUia10WrbniOy4SCTewCX2w:wxNv0cCZKax9AUia1Tbir4STw+2w
Threatray 1'509 similar samples on MalwareBazaar
TLSH T19F1633C211A09DC3C0D16EF57E927A8AB0BA110396D8E74DE9F34674DCAE6D6C5B80F1
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
86.107.197.177:1976

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.177:1976 https://threatfox.abuse.ch/ioc/392272/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246831/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Fragtor-9940182-0
Create hunting rule

Win.Packed.Crypterx-9940465-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9469bed3-d8c1-4db0-adb9-1aef9d84d79f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949813
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-02-26 14:55:40 UTC
File Type:
PE (Exe)
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnsb3un6namahbdydo6idvaxy3pcajmydydxogm3ibhbl5dfc2yq._file
Verdict:
malicious
Similar samples:
2d6a2c000a65290f3a6cae16c26fe29589795065ad4aeb9d5548efd900969f9d
RedLineStealer
43af6cbdb4759c2ec4be6716793ea601c72e81b8914aeae414fa398cd425b7c4
RedLineStealer
5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761
RedLineStealer
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
RedLineStealer
a0d1491726a47bc5fa97a7dee7718557fabbb2417d48ae79dca8302d5106604c
RedLineStealer
a1c8df46d40e59f9d8a3b01c02b454785afb25e993139fc69e12f5c358db95fa
RedLineStealer
a99c0c8a8f3183f768022962854e52f60090cf4bb96e700a549378e838324788
RedLineStealer
b5938c03650e60c155fcd791580459cabb77d515f3d4e97afab7e3175c3b6e9e
RedLineStealer
b9929a133828adf8780d52255ab5464139d7cd729e4778e5ac6e658b84281cbe
RedLineStealer
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
RedLineStealer
+ 1'499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-k56xvabhdj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
16eacee511ede68a3135b68c780f1cb6c1628fe7157391b25fcc148ff09fa725
MD5 hash:
32cda7fc70734655d6242df397c78c73
SHA1 hash:
41acc5f0b383062ba7c38a7de3def32499d07236
Link:
https://www.unpac.me/results/198f0419-59eb-4990-8453-81268babe79b/
SH256 hash:
a440818d68dea1b2c19eca38c31ae7a3805fd3c509ab0045bbdd7edaab8c3135
MD5 hash:
7e6aa848d3abcd7647cc37f3a18b1ab3
SHA1 hash:
25c46a1ebf7dbe5ae72ac240e323f870ba1592a5
Link:
https://www.unpac.me/results/198f0419-59eb-4990-8453-81268babe79b/
SH256 hash:
ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1
MD5 hash:
6fc69715ac4c5622d71da0c7787f3c3b
SHA1 hash:
2a2d4e6c10a28a4cbad37ac66f647143b03df62e
Link:
https://www.unpac.me/results/198f0419-59eb-4990-8453-81268babe79b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab641dd1be68180384781bbc81d417c6de2025981e0777199b404e15f46516b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073134/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246831/

Comments