MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238
SHA3-384 hash: 94a356186deefb967b6a6005533390fc6c134d2907cb79a02db60486d7241c3ea5db0614bc347fd503c1c54f4b86a8fe
SHA1 hash: 73663dcd6e50133c5bc04487f2c9c84f331c1c7f
MD5 hash: d2eea610a5440b2b26416d3b1e06bfc4
humanhash: colorado-red-yankee-aspen
File name:Fortnite Tautara.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'878'624 bytes
First seen:2021-10-14 21:29:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:eBJbwNdvpKlxJ4+UzlPkqld0PU8N/fT96IeHyQi9eQ5XyDMa/+tCMqEY1:er8RKnJ4+Uzl5dk5reHyQcgMztqEY1
Threatray 6 similar samples on MalwareBazaar
TLSH T1256623279129024DD2E5C8368277FED5B3F64E2F8D42ACB846E5F9C126325E5F203A47
File icon (PE):PE icon
dhash icon 0010b07278b00020 (1 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fortnite Tautara.exe
Verdict:
Malicious activity
Analysis date:
2021-10-14 21:33:46 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/1b179486-5d13-447e-81b8-44ca40eb013f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197647/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6168a15c1c2d58ba740701b2/reports/c10d8908-ae7a-45c1-b6a7-884a5eaf9ea3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11325bef-7488-4fca-b3ae-087b0cb0f9a0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870801
Signature
Connects to many ports of the same IP (likely port scanning)
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238/
Threat name:
Win32.Trojan.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 21:30:06 UTC
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygqe3hgfqux7lgo6j4l6cabin2ypmvih5cegp36hdi66vs7hci4a._file
Verdict:
malicious
Similar samples:
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
RedLineStealer
4c7fcf68b64aafefc3a6c92265378e21801543c9f2bb100742f55c78a310468b
RedLineStealer
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
RedLineStealer
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
RedLineStealer
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer vmprotect
Link:
https://tria.ge/reports/211014-1chbsaacf8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
VMProtect packed file
RedLine
RedLine Payload
Unpacked files
SH256 hash:
202e1d2f4b6caebc25ae7f0b0c120f864bca175357607e1ebd675d36a70b27a1
MD5 hash:
fcef98eacc71056684527cefb66a2d11
SHA1 hash:
5294ed4b7e3a9281244bb7a8fea0ba8d420c32e0
Link:
https://www.unpac.me/results/20a06f91-eaec-4c9c-aabd-f412279a59db/
SH256 hash:
71891791b51d559d9122dbe0589b0d79f108d21f9b4cf1927a2f044498b2f1ee
MD5 hash:
695978ada6546d2fffd696251f1f062c
SHA1 hash:
2a8764659a9d85622dc9811c77a06cd3c9c5870e
Link:
https://www.unpac.me/results/20a06f91-eaec-4c9c-aabd-f412279a59db/
SH256 hash:
5f1713df6de130b8bbd439f9d1fd404c6c992e2a04a7bd9822cd07a756bcaf0c
MD5 hash:
36a5ceae5536aec21ae8d5acd36fdac8
SHA1 hash:
c357659758d9b7005783050141cf44aa5869e0c8
Link:
https://www.unpac.me/results/20a06f91-eaec-4c9c-aabd-f412279a59db/
SH256 hash:
c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238
MD5 hash:
d2eea610a5440b2b26416d3b1e06bfc4
SHA1 hash:
73663dcd6e50133c5bc04487f2c9c84f331c1c7f
Link:
https://www.unpac.me/results/20a06f91-eaec-4c9c-aabd-f412279a59db/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c1a04d9cc585/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_KB_CERT_65628c146ace93037fc58659f14bd35f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c1a04d9cc5852ff599de4f17e100286eb0f65507e88867efc71a3deacbe71238

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197647/

Comments