MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504
SHA3-384 hash:	1b2d22e921b6567f7fb119a9fcbed98f44b8f2a0f2d6abaf75b30e873aaed275e269c9ef29a1ebfaa2bd70be63020fa8
SHA1 hash:	fb124cd3a300767329727b9f894a69a92d5e64c9
MD5 hash:	5124ccde1e94a1de5493ed13b299bbc1
humanhash:	cup-cup-california-burger
File name:	5124ccde1e94a1de5493ed13b299bbc1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	349'184 bytes
First seen:	2021-08-22 07:50:38 UTC
Last seen:	2021-08-22 08:48:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87931c028561c299d538d462f4889ea0 (7 x RaccoonStealer, 7 x RedLineStealer, 2 x Amadey)
ssdeep	6144:+Oi6yU0Czq9kJ4g4skiXI2BL8CV5RDrr5frm66dfu/XJIcYz:86v0Czq9kcskqJICV/T5zHZh4
Threatray	4'920 similar samples on MalwareBazaar
TLSH	T11674BE2076B0C138E4F712F4996DE3BC68297D706B2450CB62C62AEE66376E4DD30797
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.38.55.57:7575

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.38.55.57:7575	https://threatfox.abuse.ch/ioc/192588/

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5124ccde1e94a1de5493ed13b299bbc1.exe

Verdict:

Malicious activity

Analysis date:

2021-08-22 07:53:45 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/20402856-45ef-4d82-9bc0-28e49e0ea9c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/181183/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.22177.31988.9704.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Sending a UDP request

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c6c712c-7297-43e9-af81-703c8b747ed0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/836974

Signature

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-08-22 01:47:10 UTC

AV detection:

26 of 27 (96.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xjdo2ti3k7fpjhlreuehv4kbewppdqbs7w2fhgozghzvddqj2uca._file

Verdict:

malicious

RedLineStealer

09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49

RedLineStealer

1c3b0eb4ddd3a2072b4f8b2a86490d8e05523ac124505f08e20012c5080a5ed9

RedLineStealer

363922782dedd54d93e3512861c92632143a4a0759fd0ab18b0daa312fb0308f

RedLineStealer

680ebeb7b1d06535af0db69f6d6a07d0b399fb415fc22ef59c703b12ee90b6a7

RedLineStealer

922ce714ce0b65fb49bfe70194a5a98984122c437c7161a3e3e5916db635714b

RedLineStealer

bf07b65101a8edaf131b6f3f5431a6eab676c6c59ef6129ff935f0ee44b34902

RedLineStealer

c5d08274463e00ae7e389d30587182743fd5498378ac49c5820752736e8ac2d6

RedLineStealer

ec3defba4407352ff580b14d9b88e34643db2c48dab859099693a636987d0abb

RedLineStealer

+ 4'910 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210822-pzh4v5wh32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.38.55.57:7575

Unpacked files

SH256 hash:

a7cbe97a9a0e72247ac9adc920370ebd7047e930a6f29481070647a4e13f4388

MD5 hash:

b715cf592b142e2439ac04e4584ffaff

SHA1 hash:

ce0cab7f1fa7f6830e764edf164365f8357771b1

Link:

https://www.unpac.me/results/3e09218f-b80b-48ec-aae1-e1b152a19308/

SH256 hash:

02870ec80d34649f4babf75a5e25d5d9ff979a9d02af0d94f5ecffd43508c464

MD5 hash:

334daf946e36227115cea10d53386034

SHA1 hash:

3638569980e9911f7dbc59a613411d95521e5aa0

Link:

https://www.unpac.me/results/3e09218f-b80b-48ec-aae1-e1b152a19308/

SH256 hash:

1b25fdebbda332f7c6300aea2d7e3e0932674718187edda1aebafcc72b147b67

MD5 hash:

05ae28c772c4c22d5ba1c70d551c7675

SHA1 hash:

33964a9fd49845344786e35d6aba02593f356bc3

Link:

https://www.unpac.me/results/3e09218f-b80b-48ec-aae1-e1b152a19308/

SH256 hash:

ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504

MD5 hash:

5124ccde1e94a1de5493ed13b299bbc1

SHA1 hash:

fb124cd3a300767329727b9f894a69a92d5e64c9

Link:

https://www.unpac.me/results/3e09218f-b80b-48ec-aae1-e1b152a19308/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ba46ed4d1b57/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe ba46ed4d1b57caf49d7125087af141259ef1c032fdb45399d931f3518e09d504

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1552803/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/181183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample