MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9
SHA3-384 hash: 6ab18fbf9560442d1af862cecf6f8768a9bebce5d5b5d2bb2694c9ea9214f9afede16a0e12b779e4f6b2622229bf14f9
SHA1 hash: cda41e58c497c51691e741a76213cd085feac4a8
MD5 hash: 98c9d17d06b52192e9946fc7f4cba934
humanhash: tango-floor-lima-fruit
File name:98c9d17d06b52192e9946fc7f4cba934.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:354'304 bytes
First seen:2021-09-25 09:46:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6abb333342201a93de1795b4b0940b40 (12 x RedLineStealer, 3 x Stop, 2 x RaccoonStealer)
ssdeep 6144:2x+leqyWXy4LSe1gCnYTJhZhzLmIRbKmg7+xlC27UxOP/:ZjyWXy4LbvnmTZhmIlKmg7Wpl
Threatray 6'478 similar samples on MalwareBazaar
TLSH T18B74AE20A6A0C035EDBF12FC59B593A8AD3D7DB16B3050CB61D126EAD6386D4BC3174B
File icon (PE):PE icon
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.29:18087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:18087 https://threatfox.abuse.ch/ioc/226441/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
98c9d17d06b52192e9946fc7f4cba934.exe
Verdict:
Malicious activity
Analysis date:
2021-09-25 09:46:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a80c53bf-fbd4-4d4c-b14f-f4e51e8c564c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191464/
Detection(s):
Win.Malware.Fragtor-9895683-0
Create hunting rule

Win.Malware.Fragtor-9895686-0
Create hunting rule

Win.Packed.Fragtor-9895692-0
Create hunting rule

Win.Packed.Fragtor-9895768-0
Create hunting rule

Win.Packed.Fragtor-9896146-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07ef423e-ad5d-4e9c-b118-39029a26a4a1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/857978
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 04:14:55 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23uhjumzwsyn7pjgwgdcclqc5a6wjbynxiwagp4veacli4jx7puq._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220
RedLineStealer
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
RedLineStealer
1fb7568e5927698079a34e472cbfbe4b94b28c0d140856e146f4960f81096924
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
567bca315477953823cfc51ec1a736c79ad8389cc0b0d0f4fad240372118aa61
RedLineStealer
62ca6e54fa1a2d0dc255f288afacfa7d6b42500d60f23cb957e0297e5928ca42
RedLineStealer
b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4
RedLineStealer
d571f4c8d4e202e48bd37ec433a60a6fe8843d20b6afbc01c57e9cde330ed9dc
RedLineStealer
+ 6'468 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-lrnd1sbac3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:18087
Unpacked files
SH256 hash:
a62841bbe14945e2cd4066193675aefc61ced1aaff2753924e4ab30a9241e760
MD5 hash:
f246bd57ec25db36919e7e1aa731303f
SHA1 hash:
f4fa44aadc1d6bd4411c14c78150b2ed24f03f3b
Link:
https://www.unpac.me/results/6ed447ff-e041-4253-b893-4636aadd6a9c/
SH256 hash:
8804d072134b4f424a7af558ae9eaf17370bf874e2d0919e12e9508a8f25bc04
MD5 hash:
b7e41b714671133b10467addb04eaf04
SHA1 hash:
67250b01da36b1c2b36c6b8599f37d36975cfeca
Link:
https://www.unpac.me/results/6ed447ff-e041-4253-b893-4636aadd6a9c/
SH256 hash:
ccf48b09615787253370d1f337c632ad194e899489784fa7d4bb4cd8d67d6d9e
MD5 hash:
6b5c7d46224b4d7c38ec620c817867ad
SHA1 hash:
3747f56ac967b30844b790ed11e6180d83a79565
Link:
https://www.unpac.me/results/6ed447ff-e041-4253-b893-4636aadd6a9c/
SH256 hash:
d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9
MD5 hash:
98c9d17d06b52192e9946fc7f4cba934
SHA1 hash:
cda41e58c497c51691e741a76213cd085feac4a8
Link:
https://www.unpac.me/results/6ed447ff-e041-4253-b893-4636aadd6a9c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d6e874d199b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638450/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191464/

Comments