MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5
SHA3-384 hash: 192d7e192a1564a20a805d52eb0648f25651a4636e5711b9d135ae0df46747a97cfab365c38a98da339cf5308c7d270f
SHA1 hash: 0436972e0537dfccc282581e05fdd27e55e71266
MD5 hash: 91dbace5bc17870685f7f8d87fad9965
humanhash: hotel-cold-jersey-bulldog
File name:c212ba48a109bd687a456421a87059d28673e59167fc7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:16'776'193 bytes
First seen:2023-11-03 20:10:14 UTC
Last seen:2023-11-03 21:14:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85cddd6092e65c1a58dd1e6e9ab9fc63 (18 x RedLineStealer, 9 x LummaStealer, 2 x AsyncRAT)
ssdeep 98304:8kUPS8Y0zONU+ic3cQfM2LshEcGYPrYq7+:zyOncQfM2LsiclPz
Threatray 1'713 similar samples on MalwareBazaar
TLSH T142F65A87F99005E4C1AED370C6265262BA303C891B2127D73B51FEB82F76BD4AE79354
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 2d1c93c96c36c748 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.10.205.17:8122

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d5e9742ea32944bf7b147fe8bf9a8054.exe
Verdict:
Malicious activity
Analysis date:
2023-11-03 20:06:40 UTC
Tags:
stealc stealer redline amadey botnet trojan loader smoke opendir
Link:
https://app.any.run/tasks/55398f57-c963-449a-a084-5838c1cb3ee1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.23950.10734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug overlay
Link:
https://www.filescan.io/uploads/654553dc3dd412119beba948/reports/e6f6281c-3ac7-4615-85a3-4925ef5237c1/overview
Verdict:
Suspicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/91ba3731-4eee-4edd-a09f-21a2c9ce3c71
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336904
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 20:11:08 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yijlusfbbg6wq6sfmqq2q4cz2kdhhzmrm76healmx5yh3uehg6sq._file
Verdict:
malicious
Similar samples:
416f621d62441cbfe3e654c85085228ecdbcd0c29a5e0005e4810c135eb76def
RedLineStealer
477d14cad50e5310589cc6decd318252ce5c0859f90b6e72a6f8fff1feb259a2
RedLineStealer
92fd5c61bd97a904f17dc67c0b6c6fb696a027a5f91261e72b77d1c1850afabd
RedLineStealer
c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5
RedLineStealer
ccf11983ca3937cc907007b9fd6cbe9eab518c4bdc49eaa754186a7e9960839e
RedLineStealer
ebc33652984077063f00d28a671d0e7ad30554bff139a343297441d619716c68
RedLineStealer
+ 1'703 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:livetraffic infostealer spyware
Link:
https://tria.ge/reports/231103-yx9knabg98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
195.10.205.17:8122
Unpacked files
SH256 hash:
c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5
MD5 hash:
91dbace5bc17870685f7f8d87fad9965
SHA1 hash:
0436972e0537dfccc282581e05fdd27e55e71266
Link:
https://www.unpac.me/results/4a3df59e-da7f-4fd2-90b9-1cd0e3ec90e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c212ba48a109/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c212ba48a109bd687a456421a87059d28673e59167fc72016cbf707dd08737a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2727746/
  
Delivery method
Distributed via web download

Comments