MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5ebd419722037637eed6c7d9f7f3273b23abf220ccc266e466ee2e4b99d44d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5ebd419722037637eed6c7d9f7f3273b23abf220ccc266e466ee2e4b99d44d7
SHA3-384 hash: ae1f0635e530f5c54aa43b4a852d60888f22064edc561c72e71f934ce4e0ed8c340d5af27ee69c5b832df8baeeab38bf
SHA1 hash: c20f3b8a223c52dd8ff3b9c2b53cbafdc6c3fee3
MD5 hash: c90c8b21cc3a91d5657404916080575c
humanhash: william-cat-nitrogen-network
File name:d5ebd419722037637eed6c7d9f7f3273b23abf220ccc2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'595'728 bytes
First seen:2022-01-16 20:31:08 UTC
Last seen:2022-01-16 22:46:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 98304:bajxGQlLsGNo9ybWtPF/zHQcYqkrsUEijmrl8F:mjPLKmWtt/EcYdH48F
Threatray 1'002 similar samples on MalwareBazaar
TLSH T15FF533986502912CF8D7763CD9282B0795280BFF6866271356EFEBD4E2E35136B0077B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.38.241.101:36778

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.38.241.101:36778 https://threatfox.abuse.ch/ioc/295763/

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
644ba574ccf34cab7c0cf6efbe56d3f5.exe
Verdict:
Malicious activity
Analysis date:
2022-01-16 20:29:21 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/bd7adfb1-7efc-4789-87d5-360bf27792da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219654/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e480c91883c5ba4ed5151c/reports/e67bacfa-fb65-4d21-9379-07df7bf14df7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5d5b439-68c8-44a7-84dd-b5a152ad10cd
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921471
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-16 16:23:41 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xv5iglsea3wg7xnnr6z67zsoozdvpzcbtgcm3sgn3rojom5itlq._file
Verdict:
malicious
Similar samples:
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
RedLineStealer
3ed3b03c36265ddffd8382859b7545cec6955331f85907018adc4bacde22e70e
RedLineStealer
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
935e889d242191efcd783fc0a72a3a1f8881314c39df20a5418ef66f306d080b
RedLineStealer
a771e073fa4ba6ef336ab59ae52114c034d5725a7731dfb1593a764688f7dc16
RedLineStealer
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
RedLineStealer
ca05bdeff05876d189e870c1b7af2bf4bd098214506905655ced4f73efe8560b
RedLineStealer
cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de
RedLineStealer
d5ebd419722037637eed6c7d9f7f3273b23abf220ccc266e466ee2e4b99d44d7
RedLineStealer
+ 992 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220116-zbbl6sgdam/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
98ec0393b5531b5cbe44b2c23cdd5afc50f766cd1bfa6619299a4451a9de6dc1
MD5 hash:
d859571dd8eb1095195db87b546666be
SHA1 hash:
0b4a71a11a23f1a4d91c3c4b33ab51caf9e40b30
Link:
https://www.unpac.me/results/94644f44-85a9-46a9-a7f3-45f4482a0a3f/
SH256 hash:
d5ebd419722037637eed6c7d9f7f3273b23abf220ccc266e466ee2e4b99d44d7
MD5 hash:
c90c8b21cc3a91d5657404916080575c
SHA1 hash:
c20f3b8a223c52dd8ff3b9c2b53cbafdc6c3fee3
Link:
https://www.unpac.me/results/94644f44-85a9-46a9-a7f3-45f4482a0a3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5ebd419722037637eed6c7d9f7f3273b23abf220ccc266e466ee2e4b99d44d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219654/

Comments