MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c
SHA3-384 hash: bc03a9c3521f7935af0acd81e67e6fefaa1214a41dc2012f5e5f5e25823afd7868d891bbe0e3caf47f79cd51cd62df0d
SHA1 hash: 9c009acb34a16c0a185df24d362da1b690003978
MD5 hash: ff5f9201e8bca81a126ea15a536e5eed
humanhash: lemon-mirror-red-romeo
File name:ff5f9201e8bca81a126ea15a536e5eed
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:402'944 bytes
First seen:2021-11-10 10:47:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5effb4de201aefae267d5eef9a314ac (3 x RedLineStealer, 1 x SystemBC)
ssdeep 12288:kIwlYT0hcOMX2DL9ZCQQysz5ok+WwRVk+4Yl/PZqtM+gA2:kIqYTocOMG/nCdZB5
Threatray 3'831 similar samples on MalwareBazaar
TLSH T12F84BE10BBA0C035F1B712F4497A9378F93E7AA1672494CF62D126EE1675AE1ED30327
File icon (PE):PE icon
dhash icon badacaaecee6bea6 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://host-host-file6.com/files/628_1636491663_2386.exe
Verdict:
Malicious activity
Analysis date:
2021-11-10 18:52:49 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/672aaae5-8c64-473a-a5b2-0be5a2370ff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204687/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618ba365a00afa9663a2e1d3/reports/654a50b3-25e9-45f5-9f6d-d209e7f70b20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d7a4567-953d-4728-91ad-a64e977249da
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886642
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 10:48:06 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56qmt7efketp77e6qc7y3yq7ueflonxbjumvnubfwrijngryiuga._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
03e7020b59dab84deac5d05679ab9869a50856f3a98f7de2a3c1ff6f27929120
RedLineStealer
17af10af31345b400e46dc8f075c5d092b3df3d07423949196950b28ff23d7f2
RedLineStealer
2fdbbe32c94ec82a32e5c81f31a6d6ae0688d5be8a819de8d468d36f54760f1b
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe
RedLineStealer
9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9
RedLineStealer
+ 3'821 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pub3 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211110-mv4qvaggd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.46:80
Unpacked files
SH256 hash:
fee11b0b0e553163b94c7e93f951dcb8173cf32764e852e188232395181de111
MD5 hash:
f06d04f1716719cc38da538a680d322b
SHA1 hash:
fe7d97c3cb941af431e871a6962cd7875044da52
Link:
https://www.unpac.me/results/41e99ce3-a245-4a03-bf8c-ae915237419c/
SH256 hash:
6d21ff78ff30fc930936a0964de7d41fe9c924b4413a1177b512fa085ae712ab
MD5 hash:
08502c488b29f26b606c4b7dd1e70173
SHA1 hash:
dbff62acb6ebf7fb5f75c5b87ccdf0f4d23e413f
Link:
https://www.unpac.me/results/41e99ce3-a245-4a03-bf8c-ae915237419c/
SH256 hash:
1f7535de3d1301c5b7bd80868925d7d50d64ece6a773ad2638b219a8e60c22f1
MD5 hash:
efa3b33a54cdaf57e0b09974d91af8ab
SHA1 hash:
9b257578417b0fb78222dade8c86c6c5cd2584e8
Link:
https://www.unpac.me/results/41e99ce3-a245-4a03-bf8c-ae915237419c/
SH256 hash:
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c
MD5 hash:
ff5f9201e8bca81a126ea15a536e5eed
SHA1 hash:
9c009acb34a16c0a185df24d362da1b690003978
Link:
https://www.unpac.me/results/41e99ce3-a245-4a03-bf8c-ae915237419c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/efa0c9fc8551/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1772277/
Cape
Cape
https://www.capesandbox.com/analysis/204687/

Comments


Avatar
zbet commented on 2021-11-10 10:47:39 UTC

url : hxxp://host-host-file6.com/files/628_1636491663_2386.exe