MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e
SHA3-384 hash:	c1305a9abbc050c38005666065d41928a9133b246d9a944736e221fd2a053747c826b81d496995bec8f41d02d1fdaff2
SHA1 hash:	28a5e765c223c582850d42a4a5222395a70033df
MD5 hash:	b1cdaad6af18382fefea5e554666eb1c
humanhash:	fourteen-louisiana-uranus-lithium
File name:	b1cdaad6af18382fefea5e554666eb1c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'582'976 bytes
First seen:	2021-12-29 12:15:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep	98304:js/8KAzm5KUr+R8yyZnFtGWV4wY9yKK/sMn:jsHA9USuyyZnHGWaxPK/sa
Threatray	607 similar samples on MalwareBazaar
TLSH	T160F53351837D247DCE4B13B87A44AE006D4B432614CF84ABDA2FCE25FB7F46ACB69446
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.243.32.94:63712

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.243.32.94:63712	https://threatfox.abuse.ch/ioc/289021/

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b1cdaad6af18382fefea5e554666eb1c.exe

Verdict:

Malicious activity

Analysis date:

2021-12-29 12:17:19 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/4d0f9d5f-ad7b-4113-8269-52d8ec456b08

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/216786/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Generic-9918716-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61cc518aec6c6c14a9fb6c35/reports/85482539-bdeb-4aea-a1ed-505bff5860e5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/907a613f-019d-4d67-a4c7-bd5d9d844778

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/913775

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e/

Threat name:

Win32.Infostealer.Convagent

Status:

Malicious

First seen:

2021-12-26 17:48:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5az2jzqk7wyzepl67a36qmzsdd4cycf3lxtaupswlsk6l5wgd4xa._file

Verdict:

malicious

RedLineStealer

3ed3b03c36265ddffd8382859b7545cec6955331f85907018adc4bacde22e70e

RedLineStealer

4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b

RedLineStealer

5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4

RedLineStealer

9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

RedLineStealer

9fcaa9da6fe7fa15f35c891d33764bd8d47e7e87702aae69c1d48612f97b3956

RedLineStealer

c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb

RedLineStealer

f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66

RedLineStealer

+ 597 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211229-pfgc4sddcn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

cc98200505f47cc9ecdc76aa49a600ab329836ca0935eb0637f500d920acc03f

MD5 hash:

7b9b74de672c8a6de912644d762994e3

SHA1 hash:

d462af067365b9da81aabd1219e85619a1c6f02a

Link:

https://www.unpac.me/results/03fc3b49-c442-4566-9c53-ab583959c3e3/

SH256 hash:

4104bf59e068b43eb06e17a2a041135aea41cc1be28a09bbc55070e2262ef904

MD5 hash:

85a37ed486050b75761967efd0b1a9a0

SHA1 hash:

b035d5dc610f9efcfd862c2278d5aaa863a73c33

Link:

https://www.unpac.me/results/03fc3b49-c442-4566-9c53-ab583959c3e3/

SH256 hash:

e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e

MD5 hash:

b1cdaad6af18382fefea5e554666eb1c

SHA1 hash:

28a5e765c223c582850d42a4a5222395a70033df

Link:

https://www.unpac.me/results/03fc3b49-c442-4566-9c53-ab583959c3e3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216786/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample