MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85
SHA3-384 hash: de6efcd2ee3e4dd3533ea3df7cbbbedfe396a3b73ecc0031a0379a504a5a7b1dc52c9779844e43ebd5f5873846a41b67
SHA1 hash: 3adc44730aa6dc705c6874837c0e8df3e28bbbd8
MD5 hash: c1e9e5d15c27567b8c50ca9f9ca31cc0
humanhash: wyoming-glucose-item-berlin
File name:c1e9e5d15c27567b8c50ca9f9ca31cc0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:406'016 bytes
First seen:2021-11-10 05:46:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f60c500db75f47142be06e755ed4aae (4 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 6144:K+PrXUlD42eRKRekaij199biOPIT1ZYZjZrWOHYaTiZtmNIj:NrwDb30Qx9NiOPITQtZ19ctmN
Threatray 3'730 similar samples on MalwareBazaar
TLSH T13884D014BBE0C035F5B712F4467A97B8AA3E78A1673491CF62E516EA57706E0EC3031B
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.144.31.193:5785

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.31.193:5785 https://threatfox.abuse.ch/ioc/246310/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20211110.zip
Verdict:
Malicious activity
Analysis date:
2021-11-10 04:21:15 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/84dcbb55-8225-4f91-8af7-0336b1811bd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204615/
Detection(s):
Win.Packed.Ulise-9907202-0
Create hunting rule

Win.Packed.Ulise-9907481-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer emotet glupteba greyware packed
Link:
https://www.filescan.io/uploads/618b5ca0175442ca93aa3029/reports/653550de-0b8e-4a3c-a372-6b72892759fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0faca0ba-a4f9-4cd7-8a92-f82c4864ecf4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886488
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 04:41:12 UTC
AV detection:
30 of 44 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zjutymxqnhyjccu7n6rdszm7ajkkfmug537d367abiq4gsrlkcq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
2fdbbe32c94ec82a32e5c81f31a6d6ae0688d5be8a819de8d468d36f54760f1b
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
829225fc19a57409d03967926eeb1ee6b4da7184af8e25f80ffeba6633b46c82
RedLineStealer
d68549067554697569e1566c1e4c993a7e84dae92fb30e39ac9f4fc184e48cd1
RedLineStealer
+ 3'720 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:09.11 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211110-ggv9nagdd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.144.31.193:5785
Unpacked files
SH256 hash:
43c00a0cc841d90b1dbcb48f639fe0159db2c9fcfdf702f84831e774588523e7
MD5 hash:
012b0ecada0ef92e12965e6553e47a1a
SHA1 hash:
dc06f938e77f54f9e046b9fe5ab6e680315dc5a4
Link:
https://www.unpac.me/results/3e8fdd24-3bcb-4060-b297-6621c7c9f4a3/
SH256 hash:
49adeb8c85c04a422d03e76005d53f8d79d482dc474f32e36564d28f7adc714a
MD5 hash:
a09b03ea92b60918187f9f90fdac8173
SHA1 hash:
b5f0a5c96f6e261ca42a0f8588ed6a224c8babf3
Link:
https://www.unpac.me/results/3e8fdd24-3bcb-4060-b297-6621c7c9f4a3/
SH256 hash:
6c215282bcdc905395d76fe52ec3bc22782d2df30f4d24927492a02781e86c3c
MD5 hash:
5ff59f0f2a16bb1f7bbe5d4587133daf
SHA1 hash:
428fbb3e597f4941c2c1f115873e79ceced10f1f
Link:
https://www.unpac.me/results/3e8fdd24-3bcb-4060-b297-6621c7c9f4a3/
SH256 hash:
de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85
MD5 hash:
c1e9e5d15c27567b8c50ca9f9ca31cc0
SHA1 hash:
3adc44730aa6dc705c6874837c0e8df3e28bbbd8
Link:
https://www.unpac.me/results/3e8fdd24-3bcb-4060-b297-6621c7c9f4a3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/de5349e19783/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644572/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204615/

Comments