MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5
SHA3-384 hash: 9ce0a66c46a74d0ea20d1b5b1c77481e312f1d52ec9e01e2d4f358d616f87c83a7429928a7fc5d29f25bad453ec2f698
SHA1 hash: b26ef7ab9e475b7166520f6d55a8e80ad0a3b9ad
MD5 hash: 0eb503cae2ee76417a8608ae3b164bc2
humanhash: sweet-fifteen-football-louisiana
File name:0eb503cae2ee76417a8608ae3b164bc2
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:353'792 bytes
First seen:2021-09-22 02:05:40 UTC
Last seen:2021-09-22 02:51:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6abb333342201a93de1795b4b0940b40 (12 x RedLineStealer, 3 x Stop, 2 x RaccoonStealer)
ssdeep 6144:CA5aeeZYgckL1emgC133fJ5u7QVASTcl4+Kg7L0DQ2AvfUDoHM:LCZYgckLdv1/eQVdT1+Kg7XRvf
Threatray 2'113 similar samples on MalwareBazaar
TLSH T18274AE20E7A3C035E5B702F9497A97A8993D7AB16B30B1CF25C226EA56342D4DD30773
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0eb503cae2ee76417a8608ae3b164bc2
Verdict:
Malicious activity
Analysis date:
2021-09-22 02:07:20 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/0db9059e-811a-47cf-913a-009c581d87bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190020/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.23876.4570.12556.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97446ea1-b755-4ebc-9ddc-f8613d52c27b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/855292
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 02:06:05 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2izxtfx5mieu7jhuneibdtnacyblhcn76rwsu7y3rjwgug5q6s2q._file
Verdict:
malicious
Similar samples:
17cc58e77877849e90ead801f4c0295a29067a8a013e8d852d56b1f4bf71f88e
RedLineStealer
3bd40776370b7471f50fa074756dee076004e2f279e5b84795c09d7323c5e6bc
RedLineStealer
4b255928648623b33ead203ba323598bd376bf58aa34fc00e8eb3e562413a193
RedLineStealer
55415e508d283bfd58795c2f0d4455c43ac03fca354c007fd8cd46a756bf342c
RedLineStealer
729439c4ee7b6b04bd443520adfae3c5b2eb69981319547e21a9060d64be7693
RedLineStealer
9b009a24ed2022a348e82514b039cea11b468365e0cf58ae5bb217fc3c391493
RedLineStealer
9bd6141806d6a89ddd15d98517c7b79de204ab317c157eada64fefbef1a239cc
RedLineStealer
a23667dadeb0b55f452380e7e837e856a9e7df5b4bf6211b2314e55f1105ef1e
RedLineStealer
caa60a2c9884ffd88b4f45d8b99cc61b1883ec4e72750fae9e5e3ddb6e1ee4a6
RedLineStealer
+ 2'103 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210922-cjex8sdfak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:18087
Unpacked files
SH256 hash:
a62841bbe14945e2cd4066193675aefc61ced1aaff2753924e4ab30a9241e760
MD5 hash:
f246bd57ec25db36919e7e1aa731303f
SHA1 hash:
f4fa44aadc1d6bd4411c14c78150b2ed24f03f3b
Link:
https://www.unpac.me/results/c5984607-9e4c-427e-b1ea-02551385c1d0/
SH256 hash:
8804d072134b4f424a7af558ae9eaf17370bf874e2d0919e12e9508a8f25bc04
MD5 hash:
b7e41b714671133b10467addb04eaf04
SHA1 hash:
67250b01da36b1c2b36c6b8599f37d36975cfeca
Link:
https://www.unpac.me/results/c5984607-9e4c-427e-b1ea-02551385c1d0/
SH256 hash:
ccf48b09615787253370d1f337c632ad194e899489784fa7d4bb4cd8d67d6d9e
MD5 hash:
6b5c7d46224b4d7c38ec620c817867ad
SHA1 hash:
3747f56ac967b30844b790ed11e6180d83a79565
Link:
https://www.unpac.me/results/c5984607-9e4c-427e-b1ea-02551385c1d0/
SH256 hash:
d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5
MD5 hash:
0eb503cae2ee76417a8608ae3b164bc2
SHA1 hash:
b26ef7ab9e475b7166520f6d55a8e80ad0a3b9ad
Link:
https://www.unpac.me/results/c5984607-9e4c-427e-b1ea-02551385c1d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d2337996fd62094fa4f4691011cda01602b389bff46d2a7f1b8a6c6a1bb0f4b5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190020/

Comments


Avatar
zbet commented on 2021-09-22 02:05:41 UTC

url : hxxp://103.169.90.205/blog/upload/sefile.exe