MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79
SHA3-384 hash: be38b94f40b35bddd62e2a77fede8dda72eb581ed8ebecb297f2f4dfad03cb5b270cb716f61f13174466a9cc50fe6e3f
SHA1 hash: aca79c374ada8b66db1eb2b7ddbd95f2ca1e4c5c
MD5 hash: 5a8ef0849e29662a06fa1efd2be98f10
humanhash: two-enemy-bravo-ceiling
File name:5a8ef0849e29662a06fa1efd2be98f10.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:256'000 bytes
First seen:2021-09-26 05:14:35 UTC
Last seen:2021-09-26 05:56:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13d097bc679769118a9ca1658020024c (28 x RedLineStealer, 13 x RaccoonStealer, 1 x DanaBot)
ssdeep 6144:n106mPCjJFzOo/Ta93om7TFwNMF8sxEa:qxPC1cgq4lNSj
Threatray 2'379 similar samples on MalwareBazaar
TLSH T16A44E02079B1D032E3A749B45A75C3AD593BBC722E73415FF64C1A5A1E323C19AE2393
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.20:13441

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.20:13441 https://threatfox.abuse.ch/ioc/226443/

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a8ef0849e29662a06fa1efd2be98f10.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 05:15:40 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/601d8646-6fa3-4e98-aa2b-5754d320a5f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191703/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.25624.28943.11503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5468fd32-ac58-43e8-a5e2-541b552058ff
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/858312
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 05:15:09 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlru7dffrbewu2uyhmegdfyudqva53wrkbye63tki36gwnhzfn4q._file
Verdict:
malicious
Similar samples:
0f413477b0a01b7c34c422767d2886bc703ba8e34b2f835f2f41661e758fb101
RedLineStealer
2c9371842f8e757a3268ca7128fc20c1f38e5e00795f36f23113f6842166359b
RedLineStealer
33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275
RedLineStealer
48158a7fc253f0cf5a6608c0575eb315081169b3c0024e7282a0b0b38b1c3a46
RedLineStealer
4adeef2878fa958c4663e80779274f3c58d8b8173f8c0e5dca57c69f4f087ebf
RedLineStealer
50b9577d186d817ed1c59fe1bb7639193c6ff35a942f5bd970b70b0b28c9870d
RedLineStealer
5484ffbb09d6886470562a882bcee4e31905cb20f01597cb2b6ed66c9d748736
RedLineStealer
5b7748ccd360a28204c2841e21b919447e2a44eb184363a9220da89c09e44237
RedLineStealer
dc249737489a928295dd8dd13f8c85627f3254bb83a96691b4749a15fd1c9027
RedLineStealer
ef802bdc93dc58499db371f595959d532aeaddc4777df6ead932f2cecec97a61
RedLineStealer
+ 2'369 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:udp discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210926-fxljqaecfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.20:13441
Unpacked files
SH256 hash:
90b0e7d902727351e4a88f3b02c2d3d15d202b2a0ea118c961c21c258617c1cf
MD5 hash:
6ac070b383c57c84bce059f1611a8bc0
SHA1 hash:
f8768f72c0cc63945cbe31b75e39a9d207db06b5
Link:
https://www.unpac.me/results/f4473da6-4a7b-401e-aded-2d1439762023/
SH256 hash:
74ec8e7f6661e87226bb95a4ba97ae828c45f3142b78d068492cff7162bbbd47
MD5 hash:
f007c18cee4cbdd6992122a8a216ccc0
SHA1 hash:
5b931b76947bb4484ae7b94a60e83c65f92b21b3
Link:
https://www.unpac.me/results/f4473da6-4a7b-401e-aded-2d1439762023/
SH256 hash:
fc667313899f6647f9d67a16af1234ac6b109223b7c3ce0d178614985cfd27e9
MD5 hash:
24eb234842defb045592109e300bed32
SHA1 hash:
4fa3017ddf932a7f7ae7fbbeda7eacbea609f283
Link:
https://www.unpac.me/results/f4473da6-4a7b-401e-aded-2d1439762023/
SH256 hash:
cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79
MD5 hash:
5a8ef0849e29662a06fa1efd2be98f10
SHA1 hash:
aca79c374ada8b66db1eb2b7ddbd95f2ca1e4c5c
Link:
https://www.unpac.me/results/f4473da6-4a7b-401e-aded-2d1439762023/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cae34f8ca588496a6a983b086197141c2a0eeed150704f6e6a46fc6b34f92b79

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/191703/
  
URLhaus
https://urlhaus.abuse.ch/url/1632262/
  
Delivery method
Distributed via web download

Comments