MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66
SHA3-384 hash:	f965118b4672ade18bb6ae157cdab97d7e03f9d0c38b42511184eee5822b1d707f3d4b4302bf5f20aa028e261c476e87
SHA1 hash:	c96b7a2067ee13cb84b7e89e4a455ebc19f2b13b
MD5 hash:	b1a0bc55343edb874ec4c54cbb5a21b4
humanhash:	stream-lamp-lemon-east
File name:	f063a271d8a2da357559a32adcec6083529158168bf34.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	391'680 bytes
First seen:	2021-11-09 12:46:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d258636f72d347eaf01f17dafac75115 (3 x RedLineStealer, 2 x RaccoonStealer)
ssdeep	6144:YHWuK6isfynD/VQ5Nie31XXP1klVjdbnmuzbgwu6QigabwVf:kWunfLtRXP1Qdjmunn5
Threatray	3'514 similar samples on MalwareBazaar
TLSH	T18484D031FEA89834E1931E3459B086E05A3FBC51E870914AE350EB9A1FB3F9C55E131E
File icon (PE):
dhash icon	fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
93.115.18.158:3333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
93.115.18.158:3333	https://threatfox.abuse.ch/ioc/246036/

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/204486/

Detection(s):

Win.Trojan.Generic-9906916-0

Win.Malware.Fragtor-9907126-0

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/618a6dc7a00afa9663a1e877/reports/7c9eaf8c-51f3-481b-a31d-52a662a05571/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c77eec8-5f05-41af-81bd-ab7a13d44f08

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/886015

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66/

Threat name:

Win32.Trojan.Krypter

Status:

Malicious

First seen:

2021-11-09 12:47:06 UTC

AV detection:

28 of 45 (62.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6br2e4oyulndk5kzumvnz3daqnjjcwawrpzubqvtyojxpcey3jta._file

Verdict:

malicious

Label(s):

asyncrat

RedLineStealer

2fdbbe32c94ec82a32e5c81f31a6d6ae0688d5be8a819de8d468d36f54760f1b

RedLineStealer

45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374

RedLineStealer

829225fc19a57409d03967926eeb1ee6b4da7184af8e25f80ffeba6633b46c82

RedLineStealer

9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7

RedLineStealer

a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c

RedLineStealer

bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c

RedLineStealer

c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b

RedLineStealer

d68549067554697569e1566c1e4c993a7e84dae92fb30e39ac9f4fc184e48cd1

RedLineStealer

+ 3'504 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:installmarket discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211109-pz7peafcc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

93.115.18.158:3333

Unpacked files

SH256 hash:

fb021b5c62893169f269e4df701a518f4f3c2448911802bef37782e703f5c35e

MD5 hash:

e666e8df3be6f55abffd3fd7c5ee38ca

SHA1 hash:

cfbd624232410df465f9c02de8ebe05955061c66

Link:

https://www.unpac.me/results/bcb3376e-6c1b-49cf-acb0-8f5308487f68/

SH256 hash:

3499c823c8bdb8fb958542d7150958975beabe497f560738d4948f84fe41a29d

MD5 hash:

53b86a568da35079b9d1e5639cf199e0

SHA1 hash:

b3002f04f83e1ef20a34237d706d2670e7175760

Link:

https://www.unpac.me/results/bcb3376e-6c1b-49cf-acb0-8f5308487f68/

SH256 hash:

433001d27bf95b80678c5b59243f53b020e6580ecc255e67a027c3e5b82d7d52

MD5 hash:

c3a6905c95bf0c5ee5ccb7fd78737466

SHA1 hash:

809f44638902363b8cb443c60beced44a65c9eb5

Link:

https://www.unpac.me/results/bcb3376e-6c1b-49cf-acb0-8f5308487f68/

SH256 hash:

f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66

MD5 hash:

b1a0bc55343edb874ec4c54cbb5a21b4

SHA1 hash:

c96b7a2067ee13cb84b7e89e4a455ebc19f2b13b

Link:

https://www.unpac.me/results/bcb3376e-6c1b-49cf-acb0-8f5308487f68/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/204486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample