MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603
SHA3-384 hash: 4a91fb4da380d534048f5cffe636a884e003e4223c57b688eaa7ecf543325cd6c21845e79f634c95b00d56f3f511a483
SHA1 hash: deb87197e1cec0548018f73469ba1544faf1afd3
MD5 hash: fff4bcd716b7548669070982a5b03964
humanhash: pasta-georgia-steak-jupiter
File name:fff4bcd716b7548669070982a5b03964.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:368'640 bytes
First seen:2021-06-08 07:04:06 UTC
Last seen:2021-06-08 08:12:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b7d0cfc3cf5ef8b4576040fae638eaf (3 x RedLineStealer, 2 x DanaBot, 2 x ArkeiStealer)
ssdeep 6144:5FMI8TNY2fmTIBHh2ANs+DWNPCLAhIIMHqLZZujqHkopRy:5F585Y2fmTIBXxDe45KV0cy
Threatray 2'470 similar samples on MalwareBazaar
TLSH 8F74AE10B7A0C035F5F212F45AB782B9A83E7EF1AB2491CF52D51AEA56746E1EC31307
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.201.17.219:25524

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.201.17.219:25524 https://threatfox.abuse.ch/ioc/73619/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trinity Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 23:32:11 UTC
Tags:
trojan evasion opendir loader rat redline stealer phishing danabot
Link:
https://app.any.run/tasks/5a27eab6-978f-49c6-9616-d647324ab909

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165161/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37058802.27635.18479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/798537
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 01:40:43 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4iuaoblfxfk6yrsqrqarlvyna4uzuxnwnxokng3zrpxeh3t2uybq._file
Verdict:
malicious
Similar samples:
0c0f298ef912b9bcd172a997fd89829b4917e91e92dfbda6135b16a0464229e6
RedLineStealer
244f4accf54a144fbee1d3585ada4a5340c16d2f079405e074fc0c9d4952d55f
RedLineStealer
453debcca834d384581837da8253ac5f4e2eaf7fc641407081d1e7cf57bc4266
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
534bc099de916a0dfac65cc74e45482dd160f053d7100156f35cabeb53de123d
RedLineStealer
9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855
RedLineStealer
acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0
RedLineStealer
b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68
RedLineStealer
b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa
RedLineStealer
ec51c1a42099d2ebcb00e68608346ac14013c57f5a87713f6ab41b17c305b537
RedLineStealer
+ 2'460 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kolya discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210608-9x9ayqckjs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
195.201.17.219:25524
Unpacked files
SH256 hash:
86d826f62b1b1bff87f273cbee8b9089d95fcf64cdc80ce5d7600deacabf6e2c
MD5 hash:
73af53d713b62ab9e602867193f7325d
SHA1 hash:
ff8fa1a4a46a6f55d8ead4a7b4b11d342cebe97c
Link:
https://www.unpac.me/results/c8aeddaf-30d8-4357-bf0e-4abca8838acd/
SH256 hash:
7d2ab09de4823a18015ee864646f95bd7c58e2422bfa1da611b8816b05bad0f3
MD5 hash:
d4a294052760142bf86034200e4a5ce2
SHA1 hash:
8dd989b069140836c351638aec1d05f4ed311e24
Link:
https://www.unpac.me/results/c8aeddaf-30d8-4357-bf0e-4abca8838acd/
SH256 hash:
07cb5dc6844a04b675636eb0d1e0f442f05b1cc652dc0c5766493a7d978fd21e
MD5 hash:
ad16e60352382104a5d87dd35101a345
SHA1 hash:
2d91245816b6fed01ff639e0ea91713a17fc1281
Link:
https://www.unpac.me/results/c8aeddaf-30d8-4357-bf0e-4abca8838acd/
SH256 hash:
e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603
MD5 hash:
fff4bcd716b7548669070982a5b03964
SHA1 hash:
deb87197e1cec0548018f73469ba1544faf1afd3
Link:
https://www.unpac.me/results/c8aeddaf-30d8-4357-bf0e-4abca8838acd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1290769/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165161/

Comments