MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c
SHA3-384 hash: 03fc388db8586179053e16ffcccc7c176a3d27e0c3dfe7e9c5c41e47d2a9d71bf57ddc466f7f68358fcd5c6ddf35f02e
SHA1 hash: d7dda5da9c23c94afa86f40d318f60d5bdd0c921
MD5 hash: ef5792aa4cd85ac9b5848da9f9fcd6af
humanhash: echo-september-oregon-comet
File name:ef5792aa4cd85ac9b5848da9f9fcd6af
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:285'696 bytes
First seen:2021-08-06 11:57:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6809132c99c8b7d8b68eb68186d7f67f (4 x RaccoonStealer, 3 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:4rLOHhMfUQfpvzdNTs7FTYxN4ZwzPupqRL3UxJgLBI:4ramUQfpvzmY0cVRYYL
Threatray 1'417 similar samples on MalwareBazaar
TLSH T1AF54F1213741CD72D41339B068BACB81679EF85AE75186077A4A2B9F3F712D06F3A325
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ef5792aa4cd85ac9b5848da9f9fcd6af
Verdict:
Malicious activity
Analysis date:
2021-08-06 11:59:51 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/b52af8f1-860b-4b36-b882-ded3166cea29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176978/
Detection(s):
Win.Dropper.Ursnif-9884016-0
Create hunting rule

Win.Dropper.Titirez-9884070-0
Create hunting rule

Win.Dropper.Titirez-9884078-0
Create hunting rule

Win.Packed.Filerepmalware-9884083-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Sending a UDP request
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13ef39df-a6f7-46ea-b1b7-23bc766beb41
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/828251
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 22:03:17 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2swbehc2o5wq6zpahg7qsivrlasagf33buyw3pi47swj6nvuezoa._file
Verdict:
malicious
Similar samples:
2a707bb26e7216a1e9e1e98e25a2c12e81ab4eed316075a3313539b38e2a01b2
RedLineStealer
51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72
RedLineStealer
9fb05ed05f0830bedc12c15e3432870a6751334ef5b18af9770b3ee4f0e9e037
RedLineStealer
af3f767e38f4115339fdd61f3f3b878a1335e2201eb5b88e041cb47b1d0a7f46
RedLineStealer
b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a
RedLineStealer
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
RedLineStealer
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
RedLineStealer
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
RedLineStealer
d17f19f350e918c1d6558606fb28b06361e772514a3b0428635c31e9b7e0b098
RedLineStealer
df28d049b131a8dec56e3bbfff4ca4b419a0a04a41af70b5fce5be80b10385a3
RedLineStealer
+ 1'407 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix 05.08 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210806-e439b6dzge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.17:18597
Unpacked files
SH256 hash:
12fdc5f73fe35e01d520debd2ac75483deda2b652917c879a36adad7954b53c3
MD5 hash:
2b730f32d24fd660a1b99ac952b82d29
SHA1 hash:
c86ec66d07b2edbfdd7531270879ae90443d8e36
Link:
https://www.unpac.me/results/0811147c-f323-4a4b-abc6-977346806da2/
SH256 hash:
0e719f46ce33001f8e7c283c1b2e7efa69d93eb73a20f8b46e1e4d2dfe6c3bfe
MD5 hash:
8943614d87967db49131809a1581fd47
SHA1 hash:
1d6ed8c45850f383ef2fe160f5a2edebcc70e8bc
Link:
https://www.unpac.me/results/0811147c-f323-4a4b-abc6-977346806da2/
SH256 hash:
e2d1b912234224ecd7d5e67103d08a8961dc70d067d1e33444a3f06a1445aa35
MD5 hash:
8e2bf434c9d71e56368f6a0b9ec3ac5a
SHA1 hash:
1aca1df4156b5f9600f99bac2e6aca181c705cf6
Link:
https://www.unpac.me/results/0811147c-f323-4a4b-abc6-977346806da2/
SH256 hash:
d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c
MD5 hash:
ef5792aa4cd85ac9b5848da9f9fcd6af
SHA1 hash:
d7dda5da9c23c94afa86f40d318f60d5bdd0c921
Link:
https://www.unpac.me/results/0811147c-f323-4a4b-abc6-977346806da2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d4ac121c5a776d0f65e039bf0922b1582403177b0d316dbd1cfcac9f36b4265c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1481313/
Cape
Cape
https://www.capesandbox.com/analysis/176978/

Comments


Avatar
zbet commented on 2021-08-06 11:57:46 UTC

url : hxxp://dahgarq.top/jolion/apines.exe