MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
SHA3-384 hash:	755105db4d500870f7dd09bcfa3839c6f08aca572d598542087dba851ea234ceaa7e4230b365f62cbb7aa550e84dde4b
SHA1 hash:	19d0ab3f538b693a099c48f715848258bf8e6d99
MD5 hash:	07e2ee0ab61c20d88cf71b1bfaab872d
humanhash:	tennessee-august-magazine-potato
File name:	c2129725fe0ece870ee9ab1b0db5a5472738fae47347c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	406'528 bytes
First seen:	2023-01-29 18:25:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	542468110f098d389e1af32bd5abfd50 (11 x Smoke Loader, 11 x RedLineStealer, 2 x TeamBot)
ssdeep	6144:/LUP+bNahJrJtAGyApbDKVHy55J2uuaXO/SzgYbLs7VlB2reEWajAqf:/4qNerASTAZ1wYjWV
TLSH	T1C684CF02D6B27D43FD224A718D5EC6E0F91DF4407E1CEF599218BA4F94722B1E76222B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	205880888494c4c0 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.204.41.170:4132

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

fedfd8cdc54e0e2a384defc1b5402cea.exe

Verdict:

Malicious activity

Analysis date:

2023-01-29 16:46:35 UTC

Tags:

trojan amadey loader rat redline stealer vidar

Link:

https://app.any.run/tasks/a3e8878e-85db-48fc-9ec4-da2aa71a5971

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/358001/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/63d6ba4089bd67c10fdb508b/reports/1b2c880d-be79-4794-8eea-d297e9fb44cb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd1b94f7-3f15-4964-8507-27d835c89b40

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1161122

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-01-29 16:52:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yijjojp6b3hiodxjvmnq3nnfi4ttr6xeond4hcp2snvsbb3pc5xq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:fredy discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230129-w27kraac6y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.170:4132

Unpacked files

SH256 hash:

44a1bf37db59ffefc1fac2412110cbad2972d28ff563477367a68fae8d7cbd41

MD5 hash:

4255fc1fef03063dd4ba5095fe84d2f9

SHA1 hash:

8434939b022c2bef23627d1e4fc4e0726e38f38e

Detections:

redline

Link:

https://www.unpac.me/results/47d7a577-bfa0-4439-b104-f1e5e9fd8aff/

Parent samples :

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
6f69d4bea4681b9ef42b65f4a4479bcaa0824d21f71020a8820e3e507aca3e4d
93691d155e47e29109a94902362d651cdf5dc5ba17b1e8b665c4fc99dd370e1a
45abce6e11b5dec3a8d554e632e30609ce1998db3d969bc0117449976e45c730
c66cd92a155b70f1335dfcff0825bf851b4b1e9c6ea53e6d6087fd87df8ebe50
58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2
19f2539486d7b7a3c3c5f2e81851ef4220cdb5adb95778d1b7464fdd2b9f506a
768eba7cebce8cef3a57585b6b718bbcb4ce6b3a63453a81731fa1285ce39e8f
41fa0edee86cfc72ac4bb3628b3773269038ca1227fe3abe88b878e39c4fdff9
1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

SH256 hash:

57c14ed6abd44dc0c82f0b7d7d157297f06625213099468658862d446f4bddef

MD5 hash:

cf403e03ec81ae4c9f2046f1fc42b619

SHA1 hash:

8332ced036e9310035bed471527c4bfdec20d9c3

Link:

https://www.unpac.me/results/47d7a577-bfa0-4439-b104-f1e5e9fd8aff/

SH256 hash:

631a58938d6eacff9cab0293694eb207efe1f41f69c942c728684633cae9798a

MD5 hash:

adb7cfd75e703c3a2def812ba9852dee

SHA1 hash:

1810523f94540c1734b1f167e70a08520ffa2269

Detections:

redline

Link:

https://www.unpac.me/results/47d7a577-bfa0-4439-b104-f1e5e9fd8aff/

Parent samples :

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
6f69d4bea4681b9ef42b65f4a4479bcaa0824d21f71020a8820e3e507aca3e4d
93691d155e47e29109a94902362d651cdf5dc5ba17b1e8b665c4fc99dd370e1a
c66cd92a155b70f1335dfcff0825bf851b4b1e9c6ea53e6d6087fd87df8ebe50
1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

SH256 hash:

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f

MD5 hash:

07e2ee0ab61c20d88cf71b1bfaab872d

SHA1 hash:

19d0ab3f538b693a099c48f715848258bf8e6d99

Link:

https://www.unpac.me/results/47d7a577-bfa0-4439-b104-f1e5e9fd8aff/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c2129725fe0e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/358001/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample