MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86183fdfd5e4f8457ade0b752d86f6e2dcabcdc0ad86f8de5c8d8ec760cebd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 5 File information Comments

SHA256 hash:	d86183fdfd5e4f8457ade0b752d86f6e2dcabcdc0ad86f8de5c8d8ec760cebd5
SHA3-384 hash:	3dbe79577bca9269faa4db791dd851843f7c6f595c2e80b92584ef8710c5f2e1c5c7d24742c7823e644516220fb239e8
SHA1 hash:	4024da4b3afb7d3f20f488bbd9f75a027e634ec2
MD5 hash:	436e20b28a311b54b6a5a4bddd5bb06a
humanhash:	pip-chicken-quiet-high
File name:	d86183fdfd5e4f8457ade0b752d86f6e2dcabcdc0ad86.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	718'368 bytes
First seen:	2022-02-09 14:06:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8ea47d2f5d62ad6186a12fadf06dc906 (1 x RedLineStealer)
ssdeep	12288:ETRypztWyq0wtZi9uhB/hlscDLHmuVCSUMao/giDpbXK2L9fML:EdyNtnvqZcu9KkLH/VQw4ilLL9fML
Threatray	3'766 similar samples on MalwareBazaar
TLSH	T103E42362B3DA5E9BE6A90B3193E7234333BEE9192753475B64176223FD043428D1371A
File icon (PE):
dhash icon	e8ccccccccccccd4 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.163.144.67:21227

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.163.144.67:21227	https://threatfox.abuse.ch/ioc/384490/

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239568/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6203ca534077c8b9a026f62e/reports/9e6bdf5d-292d-49ba-b02f-f1d95f19d1bb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ryuk

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bfb152bc-15a8-44d1-bd4b-2194c0d02dcd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936901

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d86183fdfd5e4f8457ade0b752d86f6e2dcabcdc0ad86f8de5c8d8ec760cebd5/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-02-09 09:23:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3bqyh7p5lzhyiv5n4c3vfwdpnyw4vpg4blmg7dpfzdmoy5qm5pkq._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259

RedLineStealer

2d6a2c000a65290f3a6cae16c26fe29589795065ad4aeb9d5548efd900969f9d

RedLineStealer

4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45

RedLineStealer

67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23

RedLineStealer

7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574

RedLineStealer

9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c

RedLineStealer

ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e

RedLineStealer

+ 3'756 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220209-reet1aaffq/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

194.163.144.67:21227

Unpacked files

SH256 hash:

560489e5b7e51ddd25a433cdfb0cf51bf3bf8c13e477ead03b6118446c15d8ab

MD5 hash:

ddbbeb55859ff3c08b1446b4a8eb8421

SHA1 hash:

8d908305b6cc1dbf5d75c487c850b3280cdfba84

Link:

https://www.unpac.me/results/837beb7f-a55a-4723-b5c8-b3b7e34c35a1/

SH256 hash:

1de4f0bc10323c6a5c37314a0c61cf670863ab5d7db0ea8977d942c1bd299e49

MD5 hash:

264cd84ca111ae8be639ec57876bf45a

SHA1 hash:

4167b8a10c489c8196bb3ecf1ce7b76ac2e8a2f8

Link:

https://www.unpac.me/results/837beb7f-a55a-4723-b5c8-b3b7e34c35a1/

SH256 hash:

d86183fdfd5e4f8457ade0b752d86f6e2dcabcdc0ad86f8de5c8d8ec760cebd5

MD5 hash:

436e20b28a311b54b6a5a4bddd5bb06a

SHA1 hash:

4024da4b3afb7d3f20f488bbd9f75a027e634ec2

Link:

https://www.unpac.me/results/837beb7f-a55a-4723-b5c8-b3b7e34c35a1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d86183fdfd5e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/239568/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample