MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed
SHA3-384 hash:	3caf30b725f6490cebbd23945f22b2d2cfe8d49c7d7fd5cf8c15c128fc89789b37cff5e84cbc2c4db5673c58505e9f72
SHA1 hash:	8f610f5da78436ebb80cfcfe635dae4347abfcd4
MD5 hash:	abf4aefa2af7c0c22d73387ddc1431a0
humanhash:	red-high-high-alanine
File name:	cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	444'416 bytes
First seen:	2021-12-20 08:37:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd7fa0e3fdd5520a4b66dc909d923c10 (4 x RedLineStealer, 2 x Amadey, 2 x ArkeiStealer)
ssdeep	6144:rdCx4qhWYA66u+OwDFoHdnx5Lw6vvpgaMlAZvoWYiL1n4uxhTy:JCxDIYAB+9nxVwDaMlAFoWYCn4uxA
Threatray	4'229 similar samples on MalwareBazaar
TLSH	T1FB94C000B6A0D035F5B312F85A769379A53E7DE1AB2490CF62D56AEE56346E0FC3031B
File icon (PE):
dhash icon	2dac1370319b9bb1 (1 x RedLineStealer, 1 x ArkeiStealer, 1 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.229:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.229:11452	https://threatfox.abuse.ch/ioc/277936/

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215370/

Detection(s):

Win.Malware.Sabsik-9916500-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2703/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61c040b5ec6c6c14a9e4979b/reports/f9e968e5-43de-443c-8f13-23c416625367/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/98725919-6997-4cfa-81a2-f5214ca5d6b0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910100

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-12-20 08:38:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zmnt2g622gr6mslsu7eqf67hcyvzgdgc7p2nv7s5goy7ezbaq3wq._file

Verdict:

malicious

RedLineStealer

4ee947c64c25248011ad7d043d257978b1bf9d1c376e7e25a9d332a5e0af8a27

RedLineStealer

6fe38f5b9a96dcd56ee5653030f5fa73fe8653a42ed4a5bf5a12ed916725ab6c

RedLineStealer

a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932

RedLineStealer

a28f90a3f9e95a92d214da6f6e1599ffe38b9481ecd28aa14f8b74160e60c436

RedLineStealer

+ 4'219 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pablicher discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211220-kh6cssahcn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.229:11452

Unpacked files

SH256 hash:

cf280619a7cf882251d8ef4f1c72643b4d575d81844b7c249d2ad6aa811db7ea

MD5 hash:

87c674b28d52898f67ebd59931bfe7ab

SHA1 hash:

fc8bf6e2d54609fd13a11593695096d98a297796

Link:

https://www.unpac.me/results/a699cd9a-4522-4764-956a-64c3cc53f3fc/

SH256 hash:

e69870d97331c37bfb3b724e96e928e4588f99c66286d8b1e8cd957bccacba6f

MD5 hash:

b6f9b039569832b58fd64c353b716c70

SHA1 hash:

8f8b59e81706e79d270832f437376a69f5844a3f

Link:

https://www.unpac.me/results/a699cd9a-4522-4764-956a-64c3cc53f3fc/

SH256 hash:

ccbb09862f3a83cab41ed2cd4f38c1a4a902298ab0c60c7e7d8e27122caa36e8

MD5 hash:

dd61776a10e71e05ef52a368e6e4acf3

SHA1 hash:

01d051750b21bd2f3365f32e1b0d64a82c895d7c

Link:

https://www.unpac.me/results/a699cd9a-4522-4764-956a-64c3cc53f3fc/

SH256 hash:

cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed

MD5 hash:

abf4aefa2af7c0c22d73387ddc1431a0

SHA1 hash:

8f610f5da78436ebb80cfcfe635dae4347abfcd4

Link:

https://www.unpac.me/results/a699cd9a-4522-4764-956a-64c3cc53f3fc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215370/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample