MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06
SHA3-384 hash: 2d4f16a99766aeef648e8e3f77e739142fded70d05769400166a869d1c71d98a16a636bf7929d6702801f511fb9fc070
SHA1 hash: b9a26acb32e3248d9579755282ac87cbc9a03684
MD5 hash: 1e7437646c2b25f3465190cb467a06e7
humanhash: football-sad-wolfram-earth
File name:1e7437646c2b25f3465190cb467a06e7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:373'760 bytes
First seen:2022-03-27 16:57:56 UTC
Last seen:2022-03-27 17:45:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ed1b2792ced7a8e7bb849a84d01e5fcb (9 x Smoke Loader, 5 x RedLineStealer, 5 x Stop)
ssdeep 3072:oFK2NvABrzm7jwckt52Xcy0j+TvMG3Vj6I7JEOjppXj2WijwSMKbO5u+xDiidF0V:4VkmBRN0j2zlGI7JE6ppT29Qpu+hTqN
Threatray 3'890 similar samples on MalwareBazaar
TLSH T11A840225B561E032C8859531B4A5C6B01EB6B7300AE79C077B9D14BEAF713E062FCF4A
File icon (PE):PE icon
dhash icon 5c595a3ce0c1c850 (5 x Stop, 5 x RedLineStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258177/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39356912.17232.7928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11594/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6240979ca19c6494129a2ece/reports/f578981e-de5c-4b54-8d62-c8f32a0faff3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fb7e7d6-65a8-4d79-94a1-72b7ffc7c63d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965314
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-27 12:43:02 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22fhjegiodci65ssqbnvopmsxfohjm4zz4f5h3agzerw2af5buda._file
Verdict:
malicious
Similar samples:
0a90734617954138c041ac5ba7956064478b5dbcdf622ec2ed0e619f044c74f9
RedLineStealer
1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b
RedLineStealer
417a617e475f6b543a3b5a7639147c73abc059e50c19a983e6ba28067a74c1aa
RedLineStealer
a6c58dc411ddd6fae1977d92e601c483931fc6cba08bf003a23cdbeb74244b48
RedLineStealer
e0e8c025a370303c6b52ffd0904918ff22eadf74ae24e8bba8149491c4ad0ae2
RedLineStealer
fdfd1a10040479a0dc1e2d49865208eea68e68afc055322032a732ad2a3a51fc
RedLineStealer
+ 3'880 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220327-vgtbysehfj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.233.48.58:38989
Unpacked files
SH256 hash:
bda8528710fc8ffb9a5969afacdd25f5d24bb5793051af4d49beea9936ede2df
MD5 hash:
88c659cf001038d06e2605b3debf26cf
SHA1 hash:
e384ca99fd00c5eb4b7b936a096e4d7eda05abf8
Link:
https://www.unpac.me/results/9230f542-9092-4365-a0ed-3158073867b3/
SH256 hash:
4f2231f29e06809d9442b1ce8535b6a0610c23a7baafc1c6c96a83281a4ec13a
MD5 hash:
de667cc858a905e6c3c7ad23c0356d24
SHA1 hash:
cec9d8efa8873eca0824d35906ef784a990b2ed7
Link:
https://www.unpac.me/results/9230f542-9092-4365-a0ed-3158073867b3/
SH256 hash:
577006471b98395e407abea2739adf073654ebd5292ed12a1a76a12258b67b39
MD5 hash:
7b61a29887a66e0f37b2daba1a368f2e
SHA1 hash:
4cbba3c48e47c540c1f77c28b63be662084b5ab3
Link:
https://www.unpac.me/results/9230f542-9092-4365-a0ed-3158073867b3/
SH256 hash:
d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06
MD5 hash:
1e7437646c2b25f3465190cb467a06e7
SHA1 hash:
b9a26acb32e3248d9579755282ac87cbc9a03684
Link:
https://www.unpac.me/results/9230f542-9092-4365-a0ed-3158073867b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d68a7490c870c48f7652805b573d92b95c74b399cf0bd3ec06c9236d00bd0d06

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2108324/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258177/

Comments