MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b90c965f7af0f19fb8e248be73d113a0538c9e65cfadfbdda8b0da675dfc5c67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b90c965f7af0f19fb8e248be73d113a0538c9e65cfadfbdda8b0da675dfc5c67
SHA3-384 hash: fac795665f88e5bd2da69514bf9691cf224e0d78118956b769d4148c72c25f43b90bfba0755e399591defeaf9f752ec5
SHA1 hash: 4c16ba484748a7d0f988bc5f4ba3e9ce79db9dea
MD5 hash: f2502112f52c408bfe9fd28671570b1f
humanhash: neptune-rugby-hydrogen-enemy
File name:f2502112f52c408bfe9fd28671570b1f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:353'280 bytes
First seen:2021-08-26 06:16:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6ee633166e72a1d10f4f54440093ac0 (4 x RaccoonStealer, 2 x FickerStealer, 2 x ArkeiStealer)
ssdeep 6144:l/8jEKLYFRR9PoxSc3+HNHxVbw+q+NQKYZ8bE71r+v:GjtQRDPo13+HNH/w+NQJ8
Threatray 5'217 similar samples on MalwareBazaar
TLSH T16A74BE30ABA1C035F5B752F845AA83BCA53D7AB15B3440CF62E51AED06386E5AC3075B
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2502112f52c408bfe9fd28671570b1f.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 06:16:59 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/6b3620a3-505b-40c4-a5b5-6e7efd86eaea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182491/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.65104.14783.13835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4b66b24-45a9-40e3-863c-8745213441f9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/839490
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b90c965f7af0f19fb8e248be73d113a0538c9e65cfadfbdda8b0da675dfc5c67/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 22:40:27 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220
RedLineStealer
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
454502a482ab39089110794df0396bcaf031fe9dd4dbc38ab7a9e45244756b04
RedLineStealer
4f95ff3d34492ddb8ca5afcc1c0940c1156bb713d9278678bfdd1c59963a3070
RedLineStealer
b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4
RedLineStealer
+ 5'207 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:26.08 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210826-f2grkydfpj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.17:48236
Unpacked files
SH256 hash:
39ee48871d81259b602109cd7cefa7e2a962a0c7dad13f5200bbe15cc1e028c6
MD5 hash:
068fe90e36d72c10aed91617d693cb5e
SHA1 hash:
ae872ec476b4601b77e0b8cffa42c0c8d0837958
Link:
https://www.unpac.me/results/7e0c50d2-0e92-48c8-99ad-fcd176f603fb/
SH256 hash:
894b6f37a92f42c9b18e0b897b3b172fa303829ed14722fbb90fee92dfe62d0b
MD5 hash:
e18258579adb0ef5445b92fd94cca668
SHA1 hash:
3a737f1a0498711888ae4c0a2ef2dc5fb29f0781
Link:
https://www.unpac.me/results/7e0c50d2-0e92-48c8-99ad-fcd176f603fb/
SH256 hash:
590851dac9954f6aed278479a38db5d2e546b96d8ec4ab7fdee10e88fded410d
MD5 hash:
d2a2f67ac272580fd04079a8fb5d619d
SHA1 hash:
372c91cdc09fbd7c9e88b3fca6872bc8c28e90c1
Link:
https://www.unpac.me/results/7e0c50d2-0e92-48c8-99ad-fcd176f603fb/
SH256 hash:
b90c965f7af0f19fb8e248be73d113a0538c9e65cfadfbdda8b0da675dfc5c67
MD5 hash:
f2502112f52c408bfe9fd28671570b1f
SHA1 hash:
4c16ba484748a7d0f988bc5f4ba3e9ce79db9dea
Link:
https://www.unpac.me/results/7e0c50d2-0e92-48c8-99ad-fcd176f603fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b90c965f7af0f19fb8e248be73d113a0538c9e65cfadfbdda8b0da675dfc5c67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182491/

Comments