MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2
SHA3-384 hash:	680d5aca27bc3e70310ff7914009242055e1feaa7a81dbaa35dc9653b8cd617cef4df1be3decf7a2feafaf4d3c7dc4ae
SHA1 hash:	92418b0f171c214c69d42fa798b9d52868787fcb
MD5 hash:	5261ef6173d2c918b6c052985db59629
humanhash:	summer-ceiling-mockingbird-may
File name:	5261ef6173d2c918b6c052985db59629.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	368'808 bytes
First seen:	2021-09-26 00:46:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6abb333342201a93de1795b4b0940b40 (12 x RedLineStealer, 3 x Stop, 2 x RaccoonStealer)
ssdeep	6144:Jyq9eOaqx4MLDewgC45FYBBKigEDDpVqCQuu0JkqoU1hisaEsu:Rvaqx4MLlv4TYBBKLEDDmQ+TxsPsu
Threatray	2'435 similar samples on MalwareBazaar
TLSH	T16274CF20ABA0C031F9B706F855BA9378A93D7AB16B3491CB62D517EA1B347E4DC30747
File icon (PE):
dhash icon	337333734b0d37c8 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.87.192.249:16640

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.87.192.249:16640	https://threatfox.abuse.ch/ioc/226452/

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5261ef6173d2c918b6c052985db59629.exe

Verdict:

Malicious activity

Analysis date:

2021-09-26 00:46:37 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/3dfef30d-465c-46f4-9935-50a3503e3aad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191657/

Detection(s):

Win.Malware.Fragtor-9895683-0

Win.Malware.Fragtor-9895686-0

Win.Packed.Fragtor-9895692-0

Win.Packed.Fragtor-9895768-0

Win.Packed.Fragtor-9896146-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8dfc0fc3-cd68-410a-b0ce-92ee3a547509

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/858230

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-26 00:47:06 UTC

AV detection:

29 of 45 (64.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5qywcmorty2sde6h5nmq742oob475fh5bkf3is3575wz7ov3isza._file

Verdict:

malicious

RedLineStealer

383f147b7eb4c815bc9def993cff994da41c7395092ceedd3c22d10e130b8c15

RedLineStealer

3ec482600f9fbb506f8a8706dd80d33ef16f0dd7929c7bdfe2b2755ddb059a66

RedLineStealer

567bca315477953823cfc51ec1a736c79ad8389cc0b0d0f4fad240372118aa61

RedLineStealer

60595b6c6de942a30a61cb02b27b2dfec3cb76ee4751a68b8d92feefda02f78e

RedLineStealer

62ca6e54fa1a2d0dc255f288afacfa7d6b42500d60f23cb957e0297e5928ca42

RedLineStealer

d571f4c8d4e202e48bd37ec433a60a6fe8843d20b6afbc01c57e9cde330ed9dc

RedLineStealer

d6e874d199b4b0dfbd26b186212e02e83d64870dba2c033f952004b47137fbe9

RedLineStealer

dd4053f9eda1802add6d470ebe1e904098bbf47c13d19ee342271da2ad6435bf

RedLineStealer

f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6

RedLineStealer

+ 2'425 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210926-a48pyaeaeq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

80.87.192.249:16640

Unpacked files

SH256 hash:

a2ff10e0568df7a62caaf5a19981dd0e88c2325056ffdf268daf58df1e9644c1

MD5 hash:

5bfdac8c7169ccb5f6f3bc52da9a91ed

SHA1 hash:

d3edc93f8e4da83163f814f3c99ec41484480a4c

Link:

https://www.unpac.me/results/a8d1cdd2-8cbf-4960-9358-f5e559e18c3d/

SH256 hash:

0fe6290010b63b124188c14cf38f0406a9dbf7496afabe687d4e3eeec600df23

MD5 hash:

fd4f9efb04464d149c3ace53c110e0f4

SHA1 hash:

9ea9bd0679b139d9a7d747f0f6a13c6191b06567

Link:

https://www.unpac.me/results/a8d1cdd2-8cbf-4960-9358-f5e559e18c3d/

SH256 hash:

bbc53e129ffcc33b3c9749c808c7d21366e382708e7b90489dcc5241dc04fd27

MD5 hash:

31e4db2a19a304ee2693d242e9837f29

SHA1 hash:

8a2b50b7733a2a9c7ae4628e728ee9cbd27fb8e3

Link:

https://www.unpac.me/results/a8d1cdd2-8cbf-4960-9358-f5e559e18c3d/

SH256 hash:

ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2

MD5 hash:

5261ef6173d2c918b6c052985db59629

SHA1 hash:

92418b0f171c214c69d42fa798b9d52868787fcb

Link:

https://www.unpac.me/results/a8d1cdd2-8cbf-4960-9358-f5e559e18c3d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191657/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample