MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c
SHA3-384 hash:	ca2f7ceb4967967be7583ccb545b0b1f75c61b72733536409684a5b90036171e6a7de9ad15f42bf5c54d21e6fbebc0b7
SHA1 hash:	88cbe94083d98e21004ac1123925b91178b155d3
MD5 hash:	30a68e426267ca32461e90bbc9749272
humanhash:	whiskey-cup-minnesota-nitrogen
File name:	30a68e426267ca32461e90bbc9749272.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	444'928 bytes
First seen:	2022-02-28 22:36:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e8b8f8153c32d6c9f802940e99bf478d (1 x ArkeiStealer, 1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	6144:QdYoz1zFiGdORF+5Fo0W0WO7PEJ5vLcF7ITsqxeigaS:QdF1BXTO0dTEJ54F7uT
Threatray	4'724 similar samples on MalwareBazaar
TLSH	T1A294E0F27691C9B1C0412D309466DEE0597FBC22E9619A47F378AB5E2E313C1667A30F
File icon (PE):
dhash icon	81bcdcac9c8cb484 (7 x RaccoonStealer, 5 x RedLineStealer, 2 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.103.9.153:9484

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.103.9.153:9484	https://threatfox.abuse.ch/ioc/391422/

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/245467/

Detection(s):

Win.Dropper.Raccoon-9916366-0

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7652/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hlux lockbit mikey raccoon

Link:

https://www.filescan.io/uploads/621d4e8fb94fb38cb42881c6/reports/9eb7fa31-dac3-40f7-878c-f09ed79e9246/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ef4d7ac-6f84-4975-992c-e22f7b299225

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/947729

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-28 02:53:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 27 (96.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wvetbz4t6napqb5lesjovdorqjr76jtxa3u3ggwezzy6trp2prga._file

Verdict:

malicious

RedLineStealer

2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5

RedLineStealer

7c2744fc926928de15df923b58294b6c1318fb7b01a96399e661f328220d005b

RedLineStealer

9f157ceaee5858d2f77f1f828d9dc8417c7c99a65b4412896ac0231416336393

RedLineStealer

ba195a9f090cb803df55df40d839f95e335234a13d3207f65efa46c3d0f837d0

RedLineStealer

f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8

RedLineStealer

+ 4'714 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:xxx discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220228-2jsxjafca9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

94.103.9.153:9484

Unpacked files

SH256 hash:

c1d2ab9db1e249507d70b363e64f456f2a7e81cdfd782c6352e7482939e24bbb

MD5 hash:

2f51ad04de961d1c386155033d771b37

SHA1 hash:

e5d54bf744a6b22746572489a3903511ffd5b31e

Link:

https://www.unpac.me/results/96a811a7-97e2-4e12-b206-6376c01fa8a8/

SH256 hash:

c6d6e8e6cd939c01fe260db1c6d38fb5573ff0759b638b14bc1046b64ccb5ad0

MD5 hash:

b3aac29cca34c166c807da70a4e77f2e

SHA1 hash:

3a422e75278988d5a896b0e7f476f45892ce019d

Link:

https://www.unpac.me/results/96a811a7-97e2-4e12-b206-6376c01fa8a8/

SH256 hash:

9955bc3bfca75653f7b10454dffcc90f3154531535888d180274e8663655e2da

MD5 hash:

c393c902f6ec502ca662cc79c7c0e34a

SHA1 hash:

3a1a7645034227b5eba9b76225d4dc4f94fb1481

Link:

https://www.unpac.me/results/96a811a7-97e2-4e12-b206-6376c01fa8a8/

SH256 hash:

b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c

MD5 hash:

30a68e426267ca32461e90bbc9749272

SHA1 hash:

88cbe94083d98e21004ac1123925b91178b155d3

Link:

https://www.unpac.me/results/96a811a7-97e2-4e12-b206-6376c01fa8a8/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b54930e793f3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/245467/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample