MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e628857218db041ba101824f54fa64e4948a80bb4f542fc0aa5911067ada6c5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	e628857218db041ba101824f54fa64e4948a80bb4f542fc0aa5911067ada6c5c
SHA3-384 hash:	cf009fe5a5bd77650a7b9cfe2c56eefea618976a004ecfa6fd1d2eef9a930d51148ac924177c567f4cd23a3c4f5cbf98
SHA1 hash:	90abcb56e8ddcabcff8bf7b0571d50af9eec8331
MD5 hash:	960f1044b8853d1f06a0d7bf75d249e3
humanhash:	uncle-fifteen-speaker-lactose
File name:	e628857218db041ba101824f54fa64e4948a80bb4f542.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	440'832 bytes
First seen:	2022-07-07 07:10:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a62d8652970dd4e0f57d956a005981b (1 x GCleaner, 1 x RedLineStealer)
ssdeep	6144:pWBsLrTPkWBQ6pUBWiPoYs3WiF58+etAcdShLPhO+wnWEEwTFhnjMAEzNS:asTPvBBKBW3Ys3WX7OhO+wnWE77nLOo
Threatray	5'862 similar samples on MalwareBazaar
TLSH	T1AF94BF10B791D436F5B712F449B693A8B93D7EA1972894CF62D42AEE17346E0EC3130B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	2dac1378319b9bb1 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.53.119.245:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.53.119.245:80	https://threatfox.abuse.ch/ioc/807825/

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/285407/

Detection(s):

Win.Packed.Crypterx-9954995-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/24269/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d76c423c-9d47-4eac-89b7-c8aaee90c1d8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1026233

Signature

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e628857218db041ba101824f54fa64e4948a80bb4f542fc0aa5911067ada6c5c/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-07-07 07:11:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4yuik4qy3mcbxiibqjhvj6te4skivaf3j5kc7qfkleiqm6w2nroa._file

Verdict:

malicious

RedLineStealer

33e2d3a15c308cfdf2d22853a646c3d4dd10f97bf7a55d1fb5b101357bb6c532

RedLineStealer

5a398402a9490b25fa2d70a72aaf7a2ec72c933eac8c55a17e1140b40ca0e045

RedLineStealer

5b1556fc720ead9f3505bbffa66fb38c1bd724fed4d09530a33e4b12cd300904

RedLineStealer

9f7b9cafb3d5e0baee4a2db46765ceaa50d3d1be2890306177c21dd4a5c40fe1

RedLineStealer

f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023

RedLineStealer

fb4985680c725726e991767d1dee970d97ffadf763941ffaf34986185eeb58a4

RedLineStealer

+ 5'852 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220707-hzxqwahbb7/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

levelcupsecurity.eu:80

Unpacked files

SH256 hash:

5b3c7153e6067fcca1060f76c6eb33557893623841b724444d647b103e885ae6

MD5 hash:

105df43c1fbbd73f3cc7e9564f8dadfe

SHA1 hash:

f09e9d8fc4de8ecbd77a9e823d7624f17c77db4f

Link:

https://www.unpac.me/results/8ee21d33-6a71-4e35-b922-b1d205b80a28/

SH256 hash:

6963969dd8ce10fc18e8132b9a71ddb664641a0a620ca2e29a9abc608dc68dd6

MD5 hash:

45837995d373ae4fcc1a3b2ceddbcdfa

SHA1 hash:

63d109d4afe8c03f3ab67ad3665676b9a264bf63

Link:

https://www.unpac.me/results/8ee21d33-6a71-4e35-b922-b1d205b80a28/

SH256 hash:

15b7a52ce35db25e860690f2588493c5d3e143e76d8a1e467879275071de6aba

MD5 hash:

fd3f37d3d0f0c1846ffd9e02dcf427aa

SHA1 hash:

545de777db66439686b05ddef5d3f18a07c390db

Link:

https://www.unpac.me/results/8ee21d33-6a71-4e35-b922-b1d205b80a28/

SH256 hash:

e628857218db041ba101824f54fa64e4948a80bb4f542fc0aa5911067ada6c5c

MD5 hash:

960f1044b8853d1f06a0d7bf75d249e3

SHA1 hash:

90abcb56e8ddcabcff8bf7b0571d50af9eec8331

Link:

https://www.unpac.me/results/8ee21d33-6a71-4e35-b922-b1d205b80a28/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e628857218db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e628857218db041ba101824f54fa64e4948a80bb4f542fc0aa5911067ada6c5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285407/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample