MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b148fae05d0312b5e92ea0c05955b3939c7ee6351aee3dc83afffbd292790d4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b148fae05d0312b5e92ea0c05955b3939c7ee6351aee3dc83afffbd292790d4e
SHA3-384 hash: 39ea86031d036c087beafc2a4412997f9f2a06c84081354f83db43b91b538a3cf5a75d892824ff4bacae74d8ac9a6ee8
SHA1 hash: 50803bd691ea7615b4a68d00312d247db5b91311
MD5 hash: 1c26a863c485ee7040fed5cd60d502e7
humanhash: bravo-minnesota-december-fillet
File name:1c26a863c485ee7040fed5cd60d502e7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:589'312 bytes
First seen:2022-03-03 17:31:44 UTC
Last seen:2022-03-03 19:50:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:uylTDM0XkU6e4LX3WJumdLPnv1QS03ULaHNqrxlKIQNoCZ0nFQYVvVSKU:K0vJPLPnv1kEaHNYK34FDvSN
Threatray 1'521 similar samples on MalwareBazaar
TLSH T106C4239B4BC1BF18C85F4F752C0AF95709D8AB6DE1A45856B07FD28C2BA503BBC1206D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
188.127.231.79:39669

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.127.231.79:39669 https://threatfox.abuse.ch/ioc/392357/

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247072/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP POST request
DNS request
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3dde70e4-158c-461e-a2be-19c5166f9f32
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950248
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b148fae05d0312b5e92ea0c05955b3939c7ee6351aee3dc83afffbd292790d4e/
Threat name:
Win32.Trojan.Asprotect
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 02:47:53 UTC
File Type:
PE (Exe)
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfepvyc5amjll2joudafsvntsooh5zrvdlxd3sb27755fetzbvha._file
Verdict:
malicious
Similar samples:
06cde650baa0c78fe43d0088f1948c7654a0330f6f59822332ccf5d90fafb120
RedLineStealer
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
RedLineStealer
0d46eeee299f7d4e4555a477e6a699bb166d5ea4a1344820eceb321e900ee68a
RedLineStealer
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
RedLineStealer
a0f116de2de133c337d0f337036d3af6bebf69fd9f3e24191e9cb51ea3515bf8
RedLineStealer
c73ae6c7d2e981b85541696fa8a5592c6a7367222140a5d87988585a82e2213e
RedLineStealer
c9abc728dca7c4557f39ac69632735fe1a0cf29e12ae80e81b5912e8c6f929bc
RedLineStealer
d6c6604e4081f2de1edb2ce716ddcc8186f252ca1babc641b83e77fdf14fca7b
RedLineStealer
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
RedLineStealer
+ 1'511 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-v4ahcsdfbq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
ef7eaf381b875b95917f98c8648e91df61e107f9f6a394f5aed578fbd7b0ffde
MD5 hash:
5510ed90628c83d2ddb657816614976e
SHA1 hash:
9d96e4e30c4ecf0f68ba2e2e05ae2e683b10b4c7
Link:
https://www.unpac.me/results/d75a9dc5-7c8e-4ba5-b1d3-2c3bff350d87/
SH256 hash:
410f44af167251fc2cd0020189a3a1fc01df447cc6d191fcf5e37a1950c5bdd5
MD5 hash:
412b0a9f1fa9c4879c726dae059e071e
SHA1 hash:
4e0442998264e9cd6c30eceb54a6d0ac0fd60951
Link:
https://www.unpac.me/results/d75a9dc5-7c8e-4ba5-b1d3-2c3bff350d87/
SH256 hash:
b148fae05d0312b5e92ea0c05955b3939c7ee6351aee3dc83afffbd292790d4e
MD5 hash:
1c26a863c485ee7040fed5cd60d502e7
SHA1 hash:
50803bd691ea7615b4a68d00312d247db5b91311
Link:
https://www.unpac.me/results/d75a9dc5-7c8e-4ba5-b1d3-2c3bff350d87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b148fae05d0312b5e92ea0c05955b3939c7ee6351aee3dc83afffbd292790d4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247072/

Comments