MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
SHA3-384 hash: 16e84ced9f95836380c153d78f356d7c30d48b11517efb01954f047b1a769a4666fa750ba1680f9ab3ac47fa73b67066
SHA1 hash: d5b175659ad8200190c671b269bf67f0f4c8af53
MD5 hash: 12908b725fb771c0f2323fe997e64897
humanhash: hamper-cold-victor-ceiling
File name:12908b725fb771c0f2323fe997e64897
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:293'888 bytes
First seen:2021-11-27 06:24:52 UTC
Last seen:2021-11-27 07:44:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53b0378649e79a9a5712f4b4ad78cbde (1 x RedLineStealer)
ssdeep 6144:2/bzLydmTGFYPk1TUGQTO1k8YXadX2zCbHY8KZtQZT:avLGmKhTlWO1k8Y2GyH2KZ
Threatray 3'546 similar samples on MalwareBazaar
TLSH T15E54F16136E1C032DAE70A316970FF651A377C727A35804F2F74162E6E32BE0A66574E
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12908b725fb771c0f2323fe997e64897
Verdict:
Malicious activity
Analysis date:
2021-11-27 06:26:10 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/ede18f40-313a-4cdb-9c47-e8c0711aaf11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.7138.27081.10840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware lockbit mokes packed
Link:
https://www.filescan.io/uploads/61a1cf43f36138de3f40dfa5/reports/304e6646-b9d6-4a6a-879e-96fa9446fbd9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f4b6fd6-514c-4384-bfa2-d6ffef9aff6a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897069
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 20:49:43 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jbe5zaafzsssjoj2m44ytiiuzhyrtyconjpmmbneydhpjxha4ma._file
Verdict:
malicious
Similar samples:
4ddbe2305b1b7d5b932e65161108ecd4dc34bcc2ae533b2e7a6605e5371715d4
RedLineStealer
6647d57fc70b85d47cf34cfd756c826ea63bae77a1871ac382099c7cff99947a
RedLineStealer
74622827a04d267b7e3ff1460c1027d6ffe4278ec064fe18b650f2ab1fe0ac18
RedLineStealer
7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5
RedLineStealer
ae985571dc814c271e4357a099b88a6014129bc9933c6a4e0e43c3975e6d0b4b
RedLineStealer
c292fd152f9c1e4d1a0b1c2a5dcaf9ef05b1c3f60494b184aafe471527458783
RedLineStealer
d1439d1a3c8bd8495a07ea2d22e4480b7cd837deb3b6c5576e98592de7f67996
RedLineStealer
+ 3'536 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:unknown discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211127-g6nacahbem/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
129.146.249.128:64466
Unpacked files
SH256 hash:
d0fb898e80761ba3db52eb026e566334566497e4a80e70062990b6dece71fb09
MD5 hash:
a7f6ebd1c68716096312467c2fceda1a
SHA1 hash:
d8a690c803025c8d2feca6e5fd2a099534fbe8d8
Link:
https://www.unpac.me/results/618288d8-10c2-496b-bb11-d98bb544db2d/
SH256 hash:
7f597c83c72117a4953e4a69cfc15d7ba831f4d06c968c20a9caf521f33b2a42
MD5 hash:
449c73e9ab8d828d8ae10097d35e02d6
SHA1 hash:
7e8244f66714fa4168a30b49b5bd9ff804b2415f
Link:
https://www.unpac.me/results/618288d8-10c2-496b-bb11-d98bb544db2d/
SH256 hash:
a46cac742afb3e9a720c5171dd98c1a6409d4d085aae82501d6a8d4d87937fa3
MD5 hash:
2f52d3ce29c424abfc6234973fd18ba6
SHA1 hash:
5134174d6fde0f4f24ecbdec32dc7683d5bcf314
Link:
https://www.unpac.me/results/618288d8-10c2-496b-bb11-d98bb544db2d/
SH256 hash:
d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
MD5 hash:
12908b725fb771c0f2323fe997e64897
SHA1 hash:
d5b175659ad8200190c671b269bf67f0f4c8af53
Link:
https://www.unpac.me/results/618288d8-10c2-496b-bb11-d98bb544db2d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d2424ee4002e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1822593/

Comments


Avatar
zbet commented on 2021-11-27 06:24:53 UTC

url : hxxp://2.56.59.42/US/Keynote300us.exe