MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673
SHA3-384 hash: dcd32f779d321222b06a501f3570d31cd4053495a5d3684774a54b427e1edf62bfb6fc96e6c43a7f31250264d7adbe8f
SHA1 hash: 05446fde7b2e99936820d77bb0a2545bb40e644f
MD5 hash: 880c48bfac5874fd34d889bae3fc9267
humanhash: mango-monkey-fix-early
File name:880c48bfac5874fd34d889bae3fc9267
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'598'800 bytes
First seen:2022-01-24 11:07:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:SXYje7hczLUIMHwyanQlgs4KU6tV5OYFAFsOh+L:5xzLU5HTIQlgvctVcyG+L
Threatray 760 similar samples on MalwareBazaar
TLSH T1BCF533A0E3BEF9ABD9C46636A1D23C66A3DEA91BC0117477162CC77CB4065F78711C82
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221917/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Fragtor-9937220-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61ee889af81da814af9fa590/reports/7239788b-4ca3-494e-b25f-0e286e512398/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83a69b5e-7019-4911-a25d-4b2be353443b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926240
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 17:53:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ystpcgwjow44p6ecfdp7odqblndughevphltcewdpmqpqaa2zzq._file
Verdict:
malicious
Similar samples:
10ebaf2bf7ab361a6830a43e0c5f292c08c29d76866d499b3a91a547e8af5683
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
RedLineStealer
31766eecb30b54ce96546c75d37a133ee490b808e71b99c59b2e0cf703a27553
RedLineStealer
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
RedLineStealer
53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca
RedLineStealer
89ed0d6aa2b4dc137a6708847ca6e2504f52e23f1dfc6dd6057797610e7271d7
RedLineStealer
a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2
RedLineStealer
bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746
RedLineStealer
cc023c690dd6423feb4187fe06693e15d46698b208568d6ce5a387bfcd893401
RedLineStealer
+ 750 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220124-m8kvwseeal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
0389250a8d1c65ddac54605ce4ad722ef6c676c5a39befaaf97012b47266458a
MD5 hash:
b09b01853ccc359dc395cc33f26ecfd9
SHA1 hash:
a593f5124bc9786998255915a87e30f082684984
Link:
https://www.unpac.me/results/d6835b80-ac5c-49e0-a421-0edfaf5a5d32/
SH256 hash:
e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673
MD5 hash:
880c48bfac5874fd34d889bae3fc9267
SHA1 hash:
05446fde7b2e99936820d77bb0a2545bb40e644f
Link:
https://www.unpac.me/results/d6835b80-ac5c-49e0-a421-0edfaf5a5d32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e6253788d64badce3fc41146ffb8700ada3a18e4abceb988961bd907c000d673

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2002384/
Cape
Cape
https://www.capesandbox.com/analysis/221917/

Comments


Avatar
zbet commented on 2022-01-24 11:07:27 UTC

url : hxxp://coin-coin-file-9.com/files/3284_1642714335_1607.exe