MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c
SHA3-384 hash: 20ccf8d9fb295f98a5f6e94f03db955f29199b659bc1fce04ce7c84500c59d1de765dd73dee709a48dd4a9880bdb100c
SHA1 hash: 5d4d0e30895f21af52c8ec21aa5b1362f645e349
MD5 hash: 7b10287382cccd155628d70600a4368e
humanhash: carbon-hotel-august-maine
File name:7b10287382cccd155628d70600a4368e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:368'128 bytes
First seen:2022-03-22 06:41:30 UTC
Last seen:2022-03-22 08:50:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7711116627162a16abc82040806bb37 (3 x RedLineStealer, 1 x RaccoonStealer, 1 x Stop)
ssdeep 6144:w2YQFzVC+o1RjuryAXzGX2s7+atHqQfuep:waFzDoLjOZGX2s5Fue
TLSH T1097401213391D032D45214347A62C7B29A3EBC3506768D4B7B8577BE9FB03E2E6B9742
File icon (PE):PE icon
dhash icon e6adc6e4cfa5c642 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.203:44310

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.203:44310 https://threatfox.abuse.ch/ioc/433005/

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/254016/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1987.9102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10358/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware
Link:
https://www.filescan.io/uploads/62396fbf0cd58dbd92d48665/reports/2f274e66-a10a-4b24-8977-58215db9fc3e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e8d2154-5fe8-4d07-ad80-88b8f04e1e80
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961438
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-22 06:42:10 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
20 of 42 (47.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vs43fbspzixjkfieq6f3o2ptn6tayixtyq36czdikmzzfld424oa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220322-hgc9hsahep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7dbba15216dafea3fd54f1321f9c34fac6866a99459ac9b00f58309df41f173b
MD5 hash:
2c776fa7b4a436f964034bee655bfd3d
SHA1 hash:
b9a5b20173fbca4b462a24c3c38bee89b5da799d
Link:
https://www.unpac.me/results/193cc137-b00b-48ec-890f-98e67d3a7fc9/
SH256 hash:
877d606cf958874907b1a6e571f41c444abeef23b3f856b580a051674db1daa8
MD5 hash:
ee70d7de1e8410fc20c45cb12570fde8
SHA1 hash:
638f5eb046cc44b081d26ede89902cd1ea3fc301
Link:
https://www.unpac.me/results/193cc137-b00b-48ec-890f-98e67d3a7fc9/
SH256 hash:
41854ba3f5041902a292db91f41bce73d68332c50aa2c5242f610ea900ba022a
MD5 hash:
62bd1559293069158dad284a4a038325
SHA1 hash:
4211bdd3a14010ee9dd2c7dae6c8d38b5e7dc147
Link:
https://www.unpac.me/results/193cc137-b00b-48ec-890f-98e67d3a7fc9/
SH256 hash:
acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c
MD5 hash:
7b10287382cccd155628d70600a4368e
SHA1 hash:
5d4d0e30895f21af52c8ec21aa5b1362f645e349
Link:
https://www.unpac.me/results/193cc137-b00b-48ec-890f-98e67d3a7fc9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/acb9b2864fca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe acb9b2864fca2e951504878bb769f36fa60c22f3c437e16468533392ac7cd71c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2109431/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/254016/

Comments