MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd
SHA3-384 hash:	4747b51a685dc8aff00ceccd6ab929515afa06c538016a36c6c882637559eacff056a8482ad89fd8135dd2943611c7b5
SHA1 hash:	3fb2bb4d6bc06224550b7152cdfe7a45d91db2f0
MD5 hash:	301cabdabfe9c9b5db9b5a3c01138eb6
humanhash:	lima-winner-three-violet
File name:	301CABDABFE9C9B5DB9B5A3C01138EB6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	389'632 bytes
First seen:	2021-06-07 05:41:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cbeae8361a19a91fa1242808c9b08b0f (2 x Cryptbot, 2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	6144:nXIdawPEIXt3W2iDj9ezw1/kfdqZycRUnBelSb0wYWlENYO:nXIdawMat3WL9eak14dR6klSblZK
Threatray	755 similar samples on MalwareBazaar
TLSH	C7849E10B7A0C034F1F312B49ABA92F9A53D79E16B2450CF62D52BEA5B746E1EC31317
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.15:61506

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.15:61506	https://threatfox.abuse.ch/ioc/72124/

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

301CABDABFE9C9B5DB9B5A3C01138EB6.exe

Verdict:

Malicious activity

Analysis date:

2021-06-07 05:52:31 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/38d64c61-acc9-4f47-9974-4df6e86a5bcb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164831/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connecting to a non-recommended domain

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/797912

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-04 18:03:42 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vujut5gg53lykpkj264vplcnlidckcank6dllhixvn6jmfhnrxgq._file

Verdict:

malicious

RedLineStealer

1f090615b025ca978616652c41369f2331100c7650dabd92ee0fa650f29de47d

RedLineStealer

2ce49790c93a75fd2b55f5a5dc294eca7f200c784fe16b4c9d14c1491a2363a5

RedLineStealer

4214be5d965b37b39719e498f254a788bc458c9e943e1d99e7a5b781892d237e

RedLineStealer

7ff8de714cd1be1409b0c13a946c21f945a0bfdc8fd7e0b1a0f4e20f3ba0e80a

RedLineStealer

8868ce65c7fb73b3b89c48f97e16249139f94e759ff44d955e493f0651ae5f3b

RedLineStealer

9c57d0fc5a49debe9dbb49bfebe011bcf249542f6bbd4eefd41c75c3b5ff7d51

RedLineStealer

d2e0e8c973c2e376d189271f581d1ffec730f8ca41dfc1e3d9ef0b675366ee9a

RedLineStealer

da4c20f19fd8c1e1decf936cf6e2b592c39db829546f029f7be0d46e3baba5d1

RedLineStealer

f29a98849772d487f462daadc5072112353b52fa17ffeac2d2e8d669fcffe573

RedLineStealer

+ 745 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:04.06 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210607-dp311lr6ds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:61506

Unpacked files

SH256 hash:

b775939543ae4eaa9888eaea84952b950f266080fca6a43c2d32b241bb15009f

MD5 hash:

8e91831a84b1e85eb3adedd2304ce7e9

SHA1 hash:

afb6d4d69556b815a5c006e1c643cdc137607cd5

Link:

https://www.unpac.me/results/3eaebfe3-11c2-482c-928c-21a18846745c/

SH256 hash:

ec6878a0be347d5d8ede164f118edca06b3f7c2afaf2f67f71838f297d23ef12

MD5 hash:

8d41593d7c420add1f09921f41e0ffcf

SHA1 hash:

a4b287b1cbc54374aad3d4d9b345ff0f794a2052

Link:

https://www.unpac.me/results/3eaebfe3-11c2-482c-928c-21a18846745c/

SH256 hash:

141ee089572b92a356c7041529645e2c5eff2c76f7289520c216c43b5727410c

MD5 hash:

7c6a34da43e3472f59f5eafadb0c612f

SHA1 hash:

73c213d6b61dbabdef1a230befba2927a267acff

Link:

https://www.unpac.me/results/3eaebfe3-11c2-482c-928c-21a18846745c/

SH256 hash:

ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd

MD5 hash:

301cabdabfe9c9b5db9b5a3c01138eb6

SHA1 hash:

3fb2bb4d6bc06224550b7152cdfe7a45d91db2f0

Link:

https://www.unpac.me/results/3eaebfe3-11c2-482c-928c-21a18846745c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164831/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample