MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9
SHA3-384 hash: 2a120c15d32875bbf8ef7ac87dadc032091923fe6e294df294d0eb37bc7637e73529cdba5df6c721048d6431e05b8eb1
SHA1 hash: e552ca381fcccf231392d225b6ba5dc470f7be04
MD5 hash: c84921a3720715ec0bd094b1dfbdbf17
humanhash: echo-earth-diet-pasta
File name:Crаck[Full Version].exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'731'217 bytes
First seen:2022-11-11 05:00:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 98304:EPWvWxTsjxgPgsRYNj5kY4v7dCc4PrLEvnwwCiLjhKr+gp8Ab:EPWvWxTsjxrsRaiY2d52rLEvl9jopb
Threatray 1'259 similar samples on MalwareBazaar
TLSH T1C62633921351CF8FE25F7EB24C2F46D0F79553A12EA3A843529638BE3ECA3D96444247
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00a28e8e8e8e8600 (13 x RedLineStealer)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Full_Version.rar
Verdict:
Malicious activity
Analysis date:
2022-11-10 07:58:01 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0ebc4b46-daab-419f-9e24-dae39841a43e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332255/
Detection(s):
Win.Malware.Redlinestealer-9973726-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51203/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636dd7105ae98d577068bcb6/reports/c9f9aac3-ecee-4672-8f6c-e4760107c400/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bc04c59-70f9-4842-a2e7-4d0d4c9754f6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111009
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743706 Sample: Cr#U0430ck[Full Version].exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 4 other signatures 2->56 8 Cr#U0430ck[Full Version].exe 9 2->8         started        process3 file4 30 C:\Users\user\AppData\...\@nkt_21_crypted.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Roaming\822156756.exe, PE32+ 8->32 dropped 11 @nkt_21_crypted.exe 1 8->11         started        14 822156756.exe 8->14         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 62 Writes to foreign memory regions 11->62 66 2 other signatures 11->66 16 AppLaunch.exe 15 5 11->16         started        20 conhost.exe 11->20         started        64 Antivirus detection for dropped file 14->64 22 powershell.exe 11 14->22         started        24 powershell.exe 11 14->24         started        process7 dnsIp8 34 45.138.74.121, 49715, 80 HOSTGLOBALPLUS-ASRU Russian Federation 16->34 36 192.168.2.1 unknown unknown 16->36 38 api.ip.sb 16->38 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->40 42 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 46 Tries to steal Crypto Currency Wallets 16->46 48 Queries memory information (via WMI often done to detect virtual machines) 22->48 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 01:46:29 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vodvc4t6nazrhcnsr5u6oijgbkfzebaf5mcupau7ir45jytjvh4q._file
Verdict:
malicious
Similar samples:
17c782177fd60691f9d7b6e59105d282d6c67dc498a0e22b057623298c74bcb6
RedLineStealer
2a1276d50bffabe2b41cd6c789ef1b5df02080d1ed1c87acce6bcc91f0ac29f8
RedLineStealer
c852a4667cd669458b5511fbc5d272b4a4451f1e6f0f7831943969d1fc2aa319
RedLineStealer
f86ee47a389088c698657b5c59ef560de1e91df3a1e537391f2b05fda4f3ecd5
RedLineStealer
f89591af6e584606d8e0539bef829391b5e879678c2baa0e748b92ea758c56cc
RedLineStealer
ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a
RedLineStealer
ffc311faa60a3952e30c1e72997d8c58bd64b40ba5ebd710af68616b9e96ac7e
RedLineStealer
+ 1'249 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer upx
Link:
https://tria.ge/reports/221111-fnjzjabcdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
RedLine
RedLine payload
Malware Config
C2 Extraction:
45.138.74.121:80
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd8298b7-6772-4eec-b312-95bd98b757c9
Unpacked files
SH256 hash:
b41ecef9dac4cc4ed287ccbc5ae92ab1c897b97d9506e4e484bb764a8df9d2f9
MD5 hash:
a7c33998581076d2a6111f91f74b9cee
SHA1 hash:
da55819327927bebf605c251fe93e36ebe0e42d9
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9ec0164e-3665-49a3-8963-28ded7cc6d69/
SH256 hash:
882981b8b9a9266ed632c81cf2f4406edf4d2c1fe876d11ee26d3825d7d8b3d5
MD5 hash:
4c6674fb6457c244c042e4ad04f46138
SHA1 hash:
a8554c33162a0e065ae64b777b244bcff7e4e33c
Link:
https://www.unpac.me/results/9ec0164e-3665-49a3-8963-28ded7cc6d69/
SH256 hash:
ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9
MD5 hash:
c84921a3720715ec0bd094b1dfbdbf17
SHA1 hash:
e552ca381fcccf231392d225b6ba5dc470f7be04
Link:
https://www.unpac.me/results/9ec0164e-3665-49a3-8963-28ded7cc6d69/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab8751727e68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab8751727e68331389b28f69e721260a8b920405eb0547829f4479d4e269a9f9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332255/

Comments