MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2c8546e61ac6f18f9d739a31134c3d47612059d16201d871d260449fe37e20c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f2c8546e61ac6f18f9d739a31134c3d47612059d16201d871d260449fe37e20c
SHA3-384 hash:	91c08d72ff5bb3c65c9a7d4d61ece37ef5c1417778c1f89930693f47404447fa378644df31211bcfbb4f8db0d76ce988
SHA1 hash:	eed4e33f40b66b2e7045a8548da2a7574056fbd6
MD5 hash:	392f53e08bfedeed350c92996de0c813
humanhash:	robert-massachusetts-friend-fruit
File name:	f2c8546e61ac6f18f9d739a31134c3d47612059d16201.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	271'872 bytes
First seen:	2021-07-14 07:36:03 UTC
Last seen:	2021-07-14 08:40:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	af5acd8c4ec9956a4218fb9bfa0557fa (2 x RedLineStealer)
ssdeep	3072:1jdlpgaZEG812VYvoJuWHkJUiU099/iuYAhUC1osqtERa5TZS3THbb:LlWmEGRYcSTH/iu5hPqtVgDbb
Threatray	1'088 similar samples on MalwareBazaar
TLSH	T13844D01232A09833D7E7553460BDCBA05E7BB8336AB4414F27941B6A4F313E191BE767
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.69.55.138:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.69.55.138:80	https://threatfox.abuse.ch/ioc/160166/

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

60ec5c8fa096f_Main-lnstall-v7.1.zip

Verdict:

Malicious activity

Analysis date:

2021-07-13 22:26:57 UTC

Tags:

evasion autoit loader trojan stealer vidar rat redline raccoon keylogger agenttesla phishing

Link:

https://app.any.run/tasks/abd17d39-adbe-4d16-b1ce-d58dfc3fe5ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171610/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.1073.25204.27083.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/38c27fad-a0ce-4185-bca6-8211314b1ebc

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816079

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2c8546e61ac6f18f9d739a31134c3d47612059d16201d871d260449fe37e20c/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-13 21:28:54 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lefi3tbvrxrr6oxhgrrcngd2r3bebm5cyqb3by5eycet7rx4iga._file

Verdict:

malicious

RedLineStealer

1ba812e8f200b18b8f04bf694314c9b5127aa8a3ce5351ac389639fb69d6d528

RedLineStealer

2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e

RedLineStealer

45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558

RedLineStealer

49e784cd4664d480317bc3e726821d153e14ebc8b335cebce963ec427e4dcea9

RedLineStealer

6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0

RedLineStealer

7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8

RedLineStealer

78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16

RedLineStealer

d1393748b163640113850583346ee301192def81a399142aa276691eecd4314a

RedLineStealer

d59ae43affeee4773c89a3bddf6da80f88e86dc5c91184890864f97fc7cd5f5b

RedLineStealer

+ 1'078 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210714-4penh11xje/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

woltelorda.xyz:80

Unpacked files

SH256 hash:

7accfc6c5eab1dbe7f405682ba228345807c02c742c88790eba89c6ef9b5db9d

MD5 hash:

f769dc8576362081a1f7fbe0a4a24c02

SHA1 hash:

f720778094539bd013b2496dfea38d3b515d086b

Link:

https://www.unpac.me/results/5d8a8fca-8b84-4f8e-8f90-2bf1f8909d41/

SH256 hash:

09f90c97cedd9fcdab5d138f8c6bcbad85399d708fb4e5509679c9ad698ac847

MD5 hash:

8f2d184da20bd5600770c44aa9123c15

SHA1 hash:

74704332d6c4f21facff132bedd9b07980b001bc

Link:

https://www.unpac.me/results/5d8a8fca-8b84-4f8e-8f90-2bf1f8909d41/

SH256 hash:

950128768dafe9327f73a3259b013ceecba321af3ad7b26d1ee41ca3b2854461

MD5 hash:

1e9d3ce5812523fa152692977cc94b0f

SHA1 hash:

43a41f484bf568a77537ff93736537bb054b3f66

Link:

https://www.unpac.me/results/5d8a8fca-8b84-4f8e-8f90-2bf1f8909d41/

SH256 hash:

f2c8546e61ac6f18f9d739a31134c3d47612059d16201d871d260449fe37e20c

MD5 hash:

392f53e08bfedeed350c92996de0c813

SHA1 hash:

eed4e33f40b66b2e7045a8548da2a7574056fbd6

Link:

https://www.unpac.me/results/5d8a8fca-8b84-4f8e-8f90-2bf1f8909d41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2c8546e61ac6f18f9d739a31134c3d47612059d16201d871d260449fe37e20c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171610/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample