MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645
SHA3-384 hash:	865fc6a3870f659335a7188622adeee15bf54410b73133bdb19ce264ce2af51fe28cf9de5c279f7a0a6f7c151c477d6e
SHA1 hash:	892a53988c1da32f4419352ac6055efa63d7f70f
MD5 hash:	1003b8e6bd6b06e8106b628225abd157
humanhash:	five-king-helium-oklahoma
File name:	1003b8e6bd6b06e8106b628225abd157.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'591'672 bytes
First seen:	2022-02-13 20:45:41 UTC
Last seen:	2022-02-13 22:48:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8cf67bee624a7976914055b7ddad82a5 (1 x RedLineStealer)
ssdeep	24576:L5IvuenXhxxOYjjKgaWgaMlt0VAQq26nysgAOqLYJxMZA0Lmz0U:LYpx+YdGpDudq29s/OqLwxI
Threatray	236 similar samples on MalwareBazaar
TLSH	T13E75D00677C8B891D9BD60718A678BCC2336FC21556387973322FD3EE4F7649981A18E
File icon (PE):
dhash icon	8e0f0d5137331ecc (2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Palit GeForce RTX 3070 Dual R61 LHR RedLineStealer signed

Code Signing Certificate

Organisation:	Palit GeForce RTX 3070 Dual R61 LHR
Issuer:	Palit GeForce RTX 3070 Dual R61 LHR
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-02-09T18:26:26Z
Valid to:	2032-02-10T18:26:26Z
Serial number:	1e87f3e11313abbd4d83a8131c0785b1
Thumbprint Algorithm:	SHA256
Thumbprint:	dc62e9fca88aecda200fa438ef793e982f87877ae0f83537a5b7cd263aea4928
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
172.245.186.132:6670

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
172.245.186.132:6670	https://threatfox.abuse.ch/ioc/387380/

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/241203/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48330693.14808.14783.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Creating a window

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Stealing user critical data

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba7a800e-ee31-4caa-81cc-6e0730fc9848

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939014

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-12 16:49:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 43 (46.51%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wjiqcs4swh6ifq4d5poppglveuebtxxmz6wk45fazd2j5twezcq._file

Verdict:

malicious

RedLineStealer

15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259

RedLineStealer

3eb8443ed0a6200a3e8af4ea1b0367a999ff30e38b54ddaf14ee47d7a243efb7

RedLineStealer

6adee9708eeb07df53ced6a40ad5eab5e92be4f86a314835a8ec6e78d20cef62

RedLineStealer

9bc3b1788041f0f94ec1c8602d4ebc97b7d06a276ba9287042dc16e4ac2e7f52

RedLineStealer

9bd4931a1f00e7a8ffd816ac0de15d6dc5cd57c861132aca28009b2860fb0470

RedLineStealer

d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8

RedLineStealer

+ 226 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220213-zkaq8sdeam/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

7e7082f330e6d48b8303b7ce142713b8ae03922f76a84bde86cc1484b2f38aad

MD5 hash:

1fe321bfec216440e82210c536354c8e

SHA1 hash:

87fd2ed10db67029a6417263d92eabe59dd29859

Link:

https://www.unpac.me/results/475c34ad-6c78-4738-8c1a-975df171bae8/

SH256 hash:

f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645

MD5 hash:

1003b8e6bd6b06e8106b628225abd157

SHA1 hash:

892a53988c1da32f4419352ac6055efa63d7f70f

Link:

https://www.unpac.me/results/475c34ad-6c78-4738-8c1a-975df171bae8/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241203/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample