MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229
SHA3-384 hash:	c262f92193716efe7580eb57e3556d5f36d9b4cf16e8b9ae870fdf907a9bce1938b00235bb93ad81fc17bf997a2754e5
SHA1 hash:	71dca4bad5f45dddf9e66403ff076b5fdb172d25
MD5 hash:	ef0757ba0039e8bdf2f9a0c34d1f9a3d
humanhash:	queen-fanta-arkansas-timing
File name:	ef0757ba0039e8bdf2f9a0c34d1f9a3d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	652'800 bytes
First seen:	2022-03-29 07:23:40 UTC
Last seen:	2022-03-29 08:13:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c5abd0d249bf5319619ab44b6b97960d (5 x RedLineStealer, 2 x Stop, 1 x N-W0rm)
ssdeep	12288:oTgIHkoaq7KqRmd4rzDvG8I+A9FxOjPxvgnmDsRjg77j4r:o3X+ozrzD+8IpFcjPxdsR+7j6
Threatray	923 similar samples on MalwareBazaar
TLSH	T133D4F111BA90C031E6B325F45975A368B93E7EF19B24A1CB62D53AEE56307E4DC3070B
File icon (PE):
dhash icon	b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/259014/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.31567.25012.19792.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11945/overview

Behaviour

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6242b41e9253b276b79908f6/reports/c2f02a69-8a8c-4942-8d33-8e775a7f5b47/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLineStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/31cd1fb3-cca2-43a2-b709-ebfd7619f4ab

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966508

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-29 00:43:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

54d96050623da680c1b70f337ad421212655f7172d22b95c7953135bf89d55f0

RedLineStealer

556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

RedLineStealer

a63806a04c7dc23ef99da422feb1192d69b6b627aa39ccc989362ae508af899e

RedLineStealer

b111141595018d6980a609315f572f827d7fa913454a785eebc7376019ece195

RedLineStealer

cf0f1aa6daa5e46b0a8a0ab76ed31b54a96c6125617ad0d0d508d08df6ec6b9b

RedLineStealer

feb32b614bc7f38cc0b553b5fee80b7e68ad8ae78df1f1cae4016a5aa1c4677a

RedLineStealer

+ 913 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix29.03 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220329-h8ddlacfh7/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

60df1c667578f94767b966eebee81c35536a397e63b4dc30ee61ed9723f90ccb

MD5 hash:

68682c3f3e1194bb9be52625eb653c3c

SHA1 hash:

c26bd920190c6fa3606b0463ae6d2311ac8b70e3

Link:

https://www.unpac.me/results/a95c2273-0137-414c-a369-9d4979c3e6f8/

SH256 hash:

de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229

MD5 hash:

ef0757ba0039e8bdf2f9a0c34d1f9a3d

SHA1 hash:

71dca4bad5f45dddf9e66403ff076b5fdb172d25

Link:

https://www.unpac.me/results/a95c2273-0137-414c-a369-9d4979c3e6f8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2114587/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/259014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample