MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be
SHA3-384 hash: 0a15c1ace1f0b88412ffc3db31b6a39ebaf12ca4e56a7f872eb2b55895b028b80c28862a963d3bdb5fbbef9bb4732df8
SHA1 hash: cc6274612370cffa2d60e0113af7cc37524cef65
MD5 hash: 1bc3de631374c4ee565c2ff9c7cc8164
humanhash: emma-fanta-arizona-kitten
File name:1bc3de631374c4ee565c2ff9c7cc8164.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:398'848 bytes
First seen:2021-12-04 06:50:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96ebb20b02cbb20540b7ec2433018ad5 (2 x RedLineStealer, 2 x Smoke Loader, 1 x CryptBot)
ssdeep 6144:8v/Vs/zLz+GbKw98ZXvLnUKpNu6bLNoRvmsekw3cDGwNZD:8vG/b+GbTYLn5XZ4tekw3K
Threatray 3'677 similar samples on MalwareBazaar
TLSH T14484DF2275C0C077D49669B64826DB715EAA74751BA22ACF3BD84BFD0F243E2873530E
File icon (PE):PE icon
dhash icon d2b1e4d4ecb987f9 (38 x RedLineStealer, 18 x RaccoonStealer, 15 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.241.19.213:46284

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bc3de631374c4ee565c2ff9c7cc8164.exe
Verdict:
Malicious activity
Analysis date:
2021-12-04 06:53:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5be037d2-6aa2-415c-95bc-a2e051d43953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211217/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/748/overview
Behaviour
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ab0fdf47ed217c0130c900/reports/7f5d6280-4a1f-446b-974a-f3f4041e8405/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4ca1586-0650-4247-a9a9-b7b8feba1f15
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901305
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 06:51:15 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qvln7x44jj6lw3tp4csqgleyuhmsyhdizkxelkv4rmoj5iggo7a._file
Verdict:
malicious
Similar samples:
1f1858f864bf3d7db8469dd2c095afc51689a77b7221bf8e5b639b194aff1338
RedLineStealer
61012d16ce5716684e6755935387994e4916d3fcdc295d2ac8f02e688581c2ed
RedLineStealer
8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0
RedLineStealer
95edb1ae6bc853a40c0f6ebba3470b509409ce94e38096027dffc326d26cf1eb
RedLineStealer
cc135a653d43f5bf9adaf3f913761e807d2d701008b2e2249138bcef5a2f1a62
RedLineStealer
def1c6c0f612e6c8f33b57ff702fa14c8c36ca1fad55a00bd2f18789401c236d
RedLineStealer
e5127a9ede19896dc5b7d164dc332251b03e3189ba66a972ac47f74b4402399d
RedLineStealer
eb6bc4ede6a43e04723cbe0c1f6480f2c057c916e105d6b5665698a98f628a05
RedLineStealer
+ 3'667 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:udpn discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211204-hmjcqaaedq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.241.19.213:46284
Unpacked files
SH256 hash:
4d974e1d08460bd8fcf65788cea59bc96748ce0cc1c1497dd277619cbe34bf1d
MD5 hash:
cfa560544e482399ce9c943000d7b0d1
SHA1 hash:
f251de97b1da28e9c611d67266ad0d3c17d72b9f
Link:
https://www.unpac.me/results/e88aaa09-b6d2-4497-b99a-e475744088ea/
SH256 hash:
4fbabb708d043b641d6dce6b770b9f2c7dc39475dc240ba6ebff80f084b82295
MD5 hash:
a5ca74c6f82faead6d24dcde250525d4
SHA1 hash:
ae0754a38ab2494507017074d805f5dda7e1a285
Link:
https://www.unpac.me/results/e88aaa09-b6d2-4497-b99a-e475744088ea/
SH256 hash:
14468ffb4a7c03c4ae0975e2942cd5aed4bed4ea422f150df39fed87bc22f091
MD5 hash:
0877917441bf162620ffb8599e3c485b
SHA1 hash:
172be7c10124ab861f364f7e669635c338ae8a66
Link:
https://www.unpac.me/results/e88aaa09-b6d2-4497-b99a-e475744088ea/
SH256 hash:
f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be
MD5 hash:
1bc3de631374c4ee565c2ff9c7cc8164
SHA1 hash:
cc6274612370cffa2d60e0113af7cc37524cef65
Link:
https://www.unpac.me/results/e88aaa09-b6d2-4497-b99a-e475744088ea/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f42ab6fefce2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849999/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211217/

Comments