MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6
SHA3-384 hash:	2ea60ff7251140d99ea5183f20da5b2f2b63604b339e39b5c2ead4553750927ace27a6e147f9b9f9ec35ad08a4296e11
SHA1 hash:	be2aa3fce6752277a92354f19cb134b0ca2400c1
MD5 hash:	151c3f87773fc882f4713a314bce04d1
humanhash:	alanine-autumn-march-edward
File name:	151c3f87773fc882f4713a314bce04d1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	315'560 bytes
First seen:	2021-09-25 10:14:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	87c83270f93d842aca2a44bace33c055 (1 x RedLineStealer)
ssdeep	3072:sAfrfTuXQ9y5+mrYU5bqt3RCihVSOIXSi0DoDd3t4RbGdD3N5AWw15F2VLSQEOJV:szAirY8D4V8/6oltw430N2z5JHa2su
Threatray	2'630 similar samples on MalwareBazaar
TLSH	T18264E1217560CC72C7A31D307867C368AABAF9E6693CC68777686B7E6F203C15635306
File icon (PE):
dhash icon	72333333531d4eea (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.87.192.249:16640

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.87.192.249:16640	https://threatfox.abuse.ch/ioc/226452/

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

151c3f87773fc882f4713a314bce04d1.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 10:15:57 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/f5257ccb-7961-454c-98ea-30364204837a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191497/

Detection(s):

Win.Packed.Generic-9894234-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/845e24d5-fee5-4d8e-b153-3b14662084c2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/857938

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-20 08:15:20 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gu6ztbmwgyfok3gtnd4wgzjmzzccuuvkxsvj42nfuj6nyzuz23a._file

Verdict:

malicious

RedLineStealer

32b9b4bce4d318a9df816799b1ab544126244277da5d9d5395f05e926c238cc0

RedLineStealer

4a1eb5d077f5f4134acde43b07cda42bc1f03570bfcdba0289ef2af4212d0bf5

RedLineStealer

55415e508d283bfd58795c2f0d4455c43ac03fca354c007fd8cd46a756bf342c

RedLineStealer

60595b6c6de942a30a61cb02b27b2dfec3cb76ee4751a68b8d92feefda02f78e

RedLineStealer

71f8415c24040b573b4852f93ba4df25f83f2a57c536ca9b19011b6ceb9c4528

RedLineStealer

729439c4ee7b6b04bd443520adfae3c5b2eb69981319547e21a9060d64be7693

RedLineStealer

b2bbf81e6846b2cb9f72eccbb9e04ad7ade462b048b8cd846db957c38a3c1ff5

RedLineStealer

e56b53500bf0072f709cec8121a19d8d98a42672ff4df8c3079518d68b6c4f3f

RedLineStealer

f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3

RedLineStealer

+ 2'620 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-l99pzababq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

80.87.192.249:16640

Unpacked files

SH256 hash:

a2ff10e0568df7a62caaf5a19981dd0e88c2325056ffdf268daf58df1e9644c1

MD5 hash:

5bfdac8c7169ccb5f6f3bc52da9a91ed

SHA1 hash:

d3edc93f8e4da83163f814f3c99ec41484480a4c

Link:

https://www.unpac.me/results/e17b50e3-46b2-4728-ab7c-c73e29f1ad9e/

SH256 hash:

0fe6290010b63b124188c14cf38f0406a9dbf7496afabe687d4e3eeec600df23

MD5 hash:

fd4f9efb04464d149c3ace53c110e0f4

SHA1 hash:

9ea9bd0679b139d9a7d747f0f6a13c6191b06567

Link:

https://www.unpac.me/results/e17b50e3-46b2-4728-ab7c-c73e29f1ad9e/

SH256 hash:

bbc53e129ffcc33b3c9749c808c7d21366e382708e7b90489dcc5241dc04fd27

MD5 hash:

31e4db2a19a304ee2693d242e9837f29

SHA1 hash:

8a2b50b7733a2a9c7ae4628e728ee9cbd27fb8e3

Link:

https://www.unpac.me/results/e17b50e3-46b2-4728-ab7c-c73e29f1ad9e/

SH256 hash:

f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6

MD5 hash:

151c3f87773fc882f4713a314bce04d1

SHA1 hash:

be2aa3fce6752277a92354f19cb134b0ca2400c1

Link:

https://www.unpac.me/results/e17b50e3-46b2-4728-ab7c-c73e29f1ad9e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f1a9eccc2cb1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample