MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e428642687996febb3be8602fdb7e548721248ea5c7d2231b9d2ff47006fe4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	e428642687996febb3be8602fdb7e548721248ea5c7d2231b9d2ff47006fe4aa
SHA3-384 hash:	dc7f99bf1d9686d43b7397f3470b463d02d0a53e44716bf704a838bbddc21930bc05275f3fd0ec169378235cf99c76bd
SHA1 hash:	51dd87747307f2606449e24a45c6e01d27374503
MD5 hash:	a730469a20e416d89ca44e2cb1bb76ec
humanhash:	berlin-jupiter-virginia-west
File name:	a730469a20e416d89ca44e2cb1bb76ec.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	429'568 bytes
First seen:	2021-06-28 07:30:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa9874ea3b40c6a14dcd08fa8e3175b8 (2 x RedLineStealer, 1 x DarkVNC, 1 x CryptBot)
ssdeep	6144:Z4mKJxyf2i4iEMyXMYsJnpODPO703rEgbkIIUOIOCf7Z3iD7kE:NK3yui4MyXRIn3iEgbkIIUOIJlo7
Threatray	2'334 similar samples on MalwareBazaar
TLSH	4194AE10E6A1C035F1B241F49A76D3BC653DB9E19B2050CB63D5EAEE2A346E2EC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.183.98.8:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.183.98.8:80	https://threatfox.abuse.ch/ioc/154769/

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a730469a20e416d89ca44e2cb1bb76ec.exe

Verdict:

Malicious activity

Analysis date:

2021-06-28 07:32:50 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/66ea6ed5-17e9-4311-b881-370718a2d4a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/168537/

Detection(s):

Win.Packed.Pwsx-9874587-0

Win.Dropper.Glupteba-9874594-0

Win.Packed.Generic-9874600-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/915e0633-1a4d-4a78-a10b-22faa964befc

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/808702

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e428642687996febb3be8602fdb7e548721248ea5c7d2231b9d2ff47006fe4aa/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-26 01:08:21 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4qugijuhtfx6xm56qybp3n7fjbzbeshklr6semnz2l7uoadp4sva._file

Verdict:

malicious

RedLineStealer

0c0f298ef912b9bcd172a997fd89829b4917e91e92dfbda6135b16a0464229e6

RedLineStealer

3ce3b3c69c51579cfcdfdcd19aab403d8a6b53c5c659ca8aaca5123ef5992eee

RedLineStealer

475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2

RedLineStealer

5b1d5e7cbca5156e7ff4a39d2bd55cc6d1b3286ddac9951fd2c075e1acf3b0c7

RedLineStealer

5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2

RedLineStealer

9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855

RedLineStealer

b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68

RedLineStealer

b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa

RedLineStealer

f59245ad196a1287780a5c9dce8200745032dabf6216accde3650b8180d14947

RedLineStealer

+ 2'324 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lolipop123 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210628-w51eg9azpe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

nhiaisheil.xyz:80

Unpacked files

SH256 hash:

1846fe507171eba0793f97eee710f29094337e058b8a96e880126031aaef3f21

MD5 hash:

87f1efd78a25a5da61f865498d7ebd02

SHA1 hash:

e2b958a81d12b47f18a5583c9f2a23ef2269ad0c

Link:

https://www.unpac.me/results/3c843a80-124e-4b79-850d-77fe6d427fb2/

SH256 hash:

30694d0bd97fbb43660f4ea23e64f592a6926442c51fe7d1b7668c33152d21ab

MD5 hash:

bc7a426b5f1b640d79dfc6e55c46b687

SHA1 hash:

ce47163864032b4c4e9477e768a22969489773ee

Link:

https://www.unpac.me/results/3c843a80-124e-4b79-850d-77fe6d427fb2/

SH256 hash:

3ac8be14ef10f731f2e05970137de8fc95f2f8d163faf3a39eb390253a15a51f

MD5 hash:

2ef7e9497ce0d556e0dea23399e8981c

SHA1 hash:

69e735b3f614436ede33f824809e3a4c39fa1a8c

Link:

https://www.unpac.me/results/3c843a80-124e-4b79-850d-77fe6d427fb2/

SH256 hash:

e428642687996febb3be8602fdb7e548721248ea5c7d2231b9d2ff47006fe4aa

MD5 hash:

a730469a20e416d89ca44e2cb1bb76ec

SHA1 hash:

51dd87747307f2606449e24a45c6e01d27374503

Link:

https://www.unpac.me/results/3c843a80-124e-4b79-850d-77fe6d427fb2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e428642687996febb3be8602fdb7e548721248ea5c7d2231b9d2ff47006fe4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168537/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample