MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b086a9961ead4ef6987df7cdddb708aa56dcf9be9ca4da189504356358cba60c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	b086a9961ead4ef6987df7cdddb708aa56dcf9be9ca4da189504356358cba60c
SHA3-384 hash:	68e33e7549c7e800ad35463cad92e530dee2afdbc389754e8f00d91f6a64745f4d480c38c1a0ec2060b86e53d254c3e7
SHA1 hash:	29e8f2a843c7861861f34a88ee042afe3a8a409b
MD5 hash:	c2d30ac4e67a887a146ef6aa6d443f81
humanhash:	alanine-blossom-earth-zebra
File name:	c2d30ac4e67a887a146ef6aa6d443f81.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'429'824 bytes
First seen:	2022-02-16 19:31:47 UTC
Last seen:	2022-02-16 21:51:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7dc28ef949f54ad98c715895ecc34cff (79 x RedLineStealer, 2 x Formbook)
ssdeep	98304:tA7YqkxZypQj7C7Dzlhmac4dXE+j4Vwt824GY3TPpm82Slf:tA7Y2pZzlhmacuXE+4+tbYDDNf
Threatray	1'314 similar samples on MalwareBazaar
TLSH	T1322633FF6BD466F4CE5D313C4F4E076ABE58022EF9771A81705B1E06BA68A023836574
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.41:15912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.41:15912	https://threatfox.abuse.ch/ioc/388265/

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/242049/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed yakes

Link:

https://www.filescan.io/uploads/620d513fa2660f3bb9e8de15/reports/c0dadb54-7de3-44b4-a9ca-8ad061e82618/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f58b92f2-f75a-4fe9-8cd8-5115c9d9b0e0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/941135

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b086a9961ead4ef6987df7cdddb708aa56dcf9be9ca4da189504356358cba60c/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-02-13 16:13:00 UTC

File Type:

PE (Exe)

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wcdktfq6vvhpngd567g53nyivjlnz6n6tssnugevaq2wgwgluyga._file

Verdict:

malicious

RedLineStealer

0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5

RedLineStealer

2611cbdb42c4bcff5f9d1027c2b72e38ac6dd5fc76712ebd7d56d833077072ff

RedLineStealer

5aaecc91eecab8970deeef790df826ad10dd5fb4a40695b1143b9a84773c3223

RedLineStealer

6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71

RedLineStealer

77fcb4636a483ee37fdb9b76a082b64a1338c8d4c45a8a77e91791e475e6d9fa

RedLineStealer

be67e330d0bef51a2a9a38ade42a2720196bd0d34878c7b916821b79d3af9c14

RedLineStealer

f64e3c866330ca01c29ee5b0a32c6044b5c7048a5a61d49901d45ce0f0a105a5

RedLineStealer

f7708c99c5e08993335b8a6ee65062535d8b2e5298fbecc62a5601817a3d9b2f

RedLineStealer

fdeed70096a355602d70f5fe69743e29f211ac07f1f4406b8a96015c0ec9b329

RedLineStealer

+ 1'304 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220216-x8y3maddfl/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

5e1cc8ad82e84b67875c82eaab7008e550b79ed6c751f75e43dd24c24e81efb7

MD5 hash:

f1832a2e597981c2c25a7e8e5086ab8f

SHA1 hash:

0b78728d03498799563c7ea6add1298039598996

Link:

https://www.unpac.me/results/6c373cb5-945f-4ca4-860f-12e09857ad94/

SH256 hash:

c341003b7080d77a2ece71f356d412ed2aa6241291a41f13b21e30360cdd07a2

MD5 hash:

a47030c56a6455019faa900c7bff2096

SHA1 hash:

b0ce6bd0e726a9f31f8e40d4b5245e22f2f2515d

Link:

https://www.unpac.me/results/6c373cb5-945f-4ca4-860f-12e09857ad94/

SH256 hash:

b086a9961ead4ef6987df7cdddb708aa56dcf9be9ca4da189504356358cba60c

MD5 hash:

c2d30ac4e67a887a146ef6aa6d443f81

SHA1 hash:

29e8f2a843c7861861f34a88ee042afe3a8a409b

Link:

https://www.unpac.me/results/6c373cb5-945f-4ca4-860f-12e09857ad94/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b086a9961ead4ef6987df7cdddb708aa56dcf9be9ca4da189504356358cba60c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242049/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample