MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4312b6580e52e53c37de5125e292c6f0d0cff92774056ce7307fe37372885c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	b4312b6580e52e53c37de5125e292c6f0d0cff92774056ce7307fe37372885c7
SHA3-384 hash:	f0e6f9921f8a3322c4538f39564cf0c0bca0ce8815eefe280e66923ecd5c4c7e4671b69a08fd86a85ba33fb3db591be8
SHA1 hash:	845c639a7e1f749161e671bf8c4b860a3a3eb029
MD5 hash:	76b9c753c5133d59ade0e315865d7b97
humanhash:	stairway-louisiana-seventeen-timing
File name:	KRAKEN.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'802'560 bytes
First seen:	2021-10-23 16:44:32 UTC
Last seen:	2021-10-23 18:12:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	908bea7ee71339f1c35ba419da3ba679 (36 x RedLineStealer, 2 x RaccoonStealer)
ssdeep	98304:rLrQPdik3gPpBv+ZH3JL4Uvd5mEcvc1GU49/twafMmymlz:rxk3+L2Z2edAEck6/twaUyZ
Threatray	68 similar samples on MalwareBazaar
TLSH	T17626022322654053E4E18C398527BEF531F6175AAB82ACFF5AD65EC12A315D0F333A93
Reporter	Anonymous
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.255.133.25:18225	https://threatfox.abuse.ch/ioc/236935/

Intelligence

File Origin

# of uploads :

# of downloads :

599

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/199591/

Detection(s):

SecuriteInfo.com.Variant.Razy.971169.21497.3227.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm packed

Link:

https://www.filescan.io/uploads/6174f68aa9d585e6d53702fa/reports/3c099b63-ecad-48ba-946e-ad09d85f9561/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12437d5e-2438-48fc-bc01-a0040509df26

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/875692

Signature

Allocates memory in foreign processes

Found detection on Joe Sandbox Cloud Basic with higher score

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4312b6580e52e53c37de5125e292c6f0d0cff92774056ce7307fe37372885c7/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-10-23 16:43:28 UTC

AV detection:

10 of 41 (24.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wqyswzma4uxfhq354ujf4kjmn4gqz74so5afnttta77donziqxdq._file

Verdict:

malicious

RedLineStealer

4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

RedLineStealer

46878cf16c919445a9e5ada3ff03ca3465c03323a3e8b31c2de38eae1c9259e4

RedLineStealer

5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b

RedLineStealer

6c2ad98af84288aff6f49ae92f9f71befbfaa4ac35d1a05b1441f1ce15124ee0

RedLineStealer

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

RedLineStealer

8867a5229762e4b01828f7295c0821f4acd8545acb7fc648b05b87da54754120

RedLineStealer

a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4

RedLineStealer

ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e

RedLineStealer

+ 58 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/211023-t9dxasdcgn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

777adbc4ee7ebb91ba36ac6519dd3062fdf63f8a624394fd4eb55b9bc97596cd

MD5 hash:

84b77cd51978ad685293ef0ed7bcf2ed

SHA1 hash:

e934215894c8dc68a4a43d5046af78c0db1f3917

Link:

https://www.unpac.me/results/353b5e0e-d56e-429f-b1dd-1b61f73f013b/

SH256 hash:

b4312b6580e52e53c37de5125e292c6f0d0cff92774056ce7307fe37372885c7

MD5 hash:

76b9c753c5133d59ade0e315865d7b97

SHA1 hash:

845c639a7e1f749161e671bf8c4b860a3a3eb029

Link:

https://www.unpac.me/results/353b5e0e-d56e-429f-b1dd-1b61f73f013b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b4312b6580e5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4312b6580e52e53c37de5125e292c6f0d0cff92774056ce7307fe37372885c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199591/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample