MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2e367fb119960952c2ec2d59e1617f8653fd0e8ffb18a5d632cf5ffc1b521bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	f2e367fb119960952c2ec2d59e1617f8653fd0e8ffb18a5d632cf5ffc1b521bd
SHA3-384 hash:	e10b7f942f3325b7e478e51909d0d3f6e41a7570a1fd613f0512696be302dd567ace1af0dce1c062063c805b47bdb7e7
SHA1 hash:	063b69c7a034ff5065787c412c5ae21d3a965fc3
MD5 hash:	6d4cb1408547671d88ff1988b449f286
humanhash:	virginia-king-xray-pasta
File name:	Run.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	458'752 bytes
First seen:	2021-09-11 10:37:07 UTC
Last seen:	2021-09-11 12:11:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:fklT97scjSC3jh4/Iqi6orq7xwFoPMXmXf8Gmt3hiIA5BIF+/5PmU:63jhFI
Threatray	1'607 similar samples on MalwareBazaar
TLSH	T186A4142864BFC01985E3EEA52EDCA8FBD99A55E3640C703701B4633B8B51B84DE4F479
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Run.exe

Verdict:

Malicious activity

Analysis date:

2021-09-11 10:40:05 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/5a394beb-4f97-429c-abef-445d48a37ea1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/187050/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.972.24570.14865.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b0a2724-f1bd-40ec-957b-725f6fc45359

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/849132

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2e367fb119960952c2ec2d59e1617f8653fd0e8ffb18a5d632cf5ffc1b521bd/

Threat name:

ByteCode-MSIL.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-11 10:38:08 UTC

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lrwp6yrtfqjklboylkz4fqx7bst7uhi76yyuxldft277qnveg6q._file

Verdict:

malicious

RedLineStealer

2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e

RedLineStealer

6ebffc2f57819f35342d125f7dac3659899979329c731a2e5badc16648892b69

RedLineStealer

7151dc894be6ab81d6a5ac2fb22812821fb28c2bccea1d01a54eac55ca11da2e

RedLineStealer

7e0eb1f199985371a9fea2cec80bcc0ae2075f0daf0b63ac660b26f53f0411de

RedLineStealer

8d54f39dca652351657082145dcf19755740f1d807204a28345c8660c74546e2

RedLineStealer

8e1744ef99e2d9e8aa9447dd7495ea10c66c50d03125eda0574c1e29c71237ff

RedLineStealer

9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a

RedLineStealer

b948568e3dd6b10e2497a62c0d86a8ffa061cb8c1789e1b76d3b4ffde3dc64fd

RedLineStealer

e6caab24402f364bef57cd70a56650b7d657d3098e63361de7ddef5539199a66

RedLineStealer

+ 1'597 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:rich discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210911-mpdx8seddl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.217.248.44:1052

Unpacked files

SH256 hash:

502d8fd0c78fc5e008b6d30491841982449687a1c3ffbcf96b4d96d5fd1d7484

MD5 hash:

cbbc1cd8d046b3a68f337c9030ca8472

SHA1 hash:

89035cc24fd7ab6edf38e8e316d9a75d82d84a50

Link:

https://www.unpac.me/results/df43450a-8d97-4888-95b8-27c02cca0822/

SH256 hash:

f2e367fb119960952c2ec2d59e1617f8653fd0e8ffb18a5d632cf5ffc1b521bd

MD5 hash:

6d4cb1408547671d88ff1988b449f286

SHA1 hash:

063b69c7a034ff5065787c412c5ae21d3a965fc3

Link:

https://www.unpac.me/results/df43450a-8d97-4888-95b8-27c02cca0822/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f2e367fb1199/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/f2e367fb119960952c2ec2d59e1617f8653fd0e8ffb18a5d632cf5ffc1b521bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187050/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample