MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a26b7f682b889b3731f2d6ded93a3910af27d5ea5aa3690e23f25d654affc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	e7a26b7f682b889b3731f2d6ded93a3910af27d5ea5aa3690e23f25d654affc0
SHA3-384 hash:	69da498071d83b05ea2a62467443841e7c3c7e40f518f3d77e6288ec8aaba31e815b48c7a03ffc13f207d3bd50b25e62
SHA1 hash:	27184a4201724e1facfd6d67617f579103921e6c
MD5 hash:	a0b1e5e111a6a452ed4cdd6cb6272fda
humanhash:	alabama-chicken-earth-montana
File name:	a0b1e5e111a6a452ed4cdd6cb6272fda.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'716'400 bytes
First seen:	2022-02-07 05:56:15 UTC
Last seen:	2022-02-07 07:52:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep	98304:dwuGXdSfs9hlNAg5XrkSb/VQkpdTpGkTycao9EinuLEzJD:jG009hrA0db/VNDTlyw9EinuGD
Threatray	546 similar samples on MalwareBazaar
TLSH	T1230633F1B3B0FA80C84F447A25D57D03E2F53043A9E489A5867CAE85D945BE87291E8F
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.226:34189

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.226:34189	https://threatfox.abuse.ch/ioc/381581/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

UnborGame_v.0.1.zip

Verdict:

No threats detected

Analysis date:

2022-02-05 11:59:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7c1c602c-4fd1-4772-8172-9d63347acacf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/233991/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Searching for the window

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Stealing user critical data

Blocking the Windows Defender launch

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6200b4b0fdec0968c37d8ed2/reports/edd6199a-a3cc-4dbc-ac57-d3163e4c340b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/828bcad5-f9a9-456a-b257-7aad16e02bb9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934922

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7a26b7f682b889b3731f2d6ded93a3910af27d5ea5aa3690e23f25d654affc0/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-02-05 17:17:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=46rgw73ifoejwnzr6lln5wj2heik6j6v5jnkg2ioepzf2zkk77aa._file

Verdict:

malicious

RedLineStealer

19469d26a781545bc0347ba1ef6d885744ec26c525eafd7034155b1095bab742

RedLineStealer

5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4

RedLineStealer

5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f

RedLineStealer

8143c63631df50b95ccfc47822f808fbff228f1da4eb5e521c6352fbc678d118

RedLineStealer

8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3

RedLineStealer

9fcaa9da6fe7fa15f35c891d33764bd8d47e7e87702aae69c1d48612f97b3956

RedLineStealer

d3a1bdd3ea570b33d18209bcc19d229229c95de8d4b13ffe76248ca72c17e09c

RedLineStealer

+ 536 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220207-gnlzkagch5/

Unpacked files

SH256 hash:

8306bef6ca6d15cd79ccd0444e92e5a00eefb82c9703157974feea1167924a74

MD5 hash:

d65ddce408dd4f0da61164753bbb8b55

SHA1 hash:

70cabf9b71d9a2abfa59d938b3786669fcf5280c

Link:

https://www.unpac.me/results/4f86c3bb-80b1-4496-954a-715c3583e6ea/

SH256 hash:

e7a26b7f682b889b3731f2d6ded93a3910af27d5ea5aa3690e23f25d654affc0

MD5 hash:

a0b1e5e111a6a452ed4cdd6cb6272fda

SHA1 hash:

27184a4201724e1facfd6d67617f579103921e6c

Link:

https://www.unpac.me/results/4f86c3bb-80b1-4496-954a-715c3583e6ea/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/233991/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample