MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc28ee0a219c9b20301f12ce39585177056a1814f32b3687f90607dd8b7e98cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 13 File information Comments

SHA256 hash:	fc28ee0a219c9b20301f12ce39585177056a1814f32b3687f90607dd8b7e98cc
SHA3-384 hash:	4a5398669e70e6449a8b8a06ab506df478c0c7b5c318048966a9c95a4e8dd2be1b76151cc103b41813f28657b87111e3
SHA1 hash:	5ea3ebd85abdff7b63a46140dbcbff09cd448bba
MD5 hash:	260189025532545a9ab45525236e2336
humanhash:	early-purple-artist-mars
File name:	260189025532545a9ab45525236e2336.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'152'512 bytes
First seen:	2021-10-02 14:40:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:SkZO69hlJwaOBKcvJ/cDFT+rMxIiLyGOrhQFN77:SkZFhXGKf5T+Yx5ys77
Threatray	8 similar samples on MalwareBazaar
TLSH	T1683533A7A00A69D5C1D7DBB21372BB75186A82A1A23334F93F3A7CB17511DB1112F738
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
141.94.112.3:11722

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
141.94.112.3:11722	https://threatfox.abuse.ch/ioc/229755/

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

260189025532545a9ab45525236e2336.exe

Verdict:

Malicious activity

Analysis date:

2021-10-02 14:41:49 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/be2e7b00-bf06-464b-860d-103604326aea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

EnigmaStub

Link:

https://www.capesandbox.com/analysis/194195/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

Win.Malware.Agen-9864859-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Stealing user critical data

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4f8055e8-07e2-4175-9d62-5b11fb827307

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863198

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc28ee0a219c9b20301f12ce39585177056a1814f32b3687f90607dd8b7e98cc/

Threat name:

Win32.Trojan.Reline

Status:

Malicious

First seen:

2021-10-02 14:41:07 UTC

AV detection:

31 of 45 (68.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7quo4crbtsnsama7clhdswcro4cwugau6mvtnb7zayd53c36tdga._file

Verdict:

malicious

RedLineStealer

30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0

RedLineStealer

34abe88bc1e9dfe7fa77df43c9c9005bbd27843a40bdcd28431ab9dda7527c1f

RedLineStealer

9ee79b401ccaba69fd7b35182ae2ed826324b1f65ba836e2c49818c0ccb06ac6

RedLineStealer

abf5f21325081eb71335a56c5b72ec05bea94c7cc133abfb46f073227230f835

RedLineStealer

bb13cf7f4d7f5db58730a4dd948093ab12ee0f65c2393784e43143913d51130b

RedLineStealer

f47e5170400f759777d84d93b114348b904aed870ee7d39a697f8b1f884d77ae

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211002-r2eshsedc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

fc28ee0a219c9b20301f12ce39585177056a1814f32b3687f90607dd8b7e98cc

MD5 hash:

260189025532545a9ab45525236e2336

SHA1 hash:

5ea3ebd85abdff7b63a46140dbcbff09cd448bba

Link:

https://www.unpac.me/results/599d518e-9d69-42e4-8b66-0c401419763b/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/fc28ee0a219c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/fc28ee0a219c9b20301f12ce39585177056a1814f32b3687f90607dd8b7e98cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	Enigma_Protected_Malware Create hunting rule
Author:	Florian Roth with the help of binar.ly
Description:	Detects samples packed by Enigma Protector
Reference:	https://goo.gl/OEVQ9w

Rule name:	Enigma_Protector_LazarusSample_RID3326 Create hunting rule
Author:	Florian Roth
Description:	Detects malware packed with the Enigma protector
Reference:	https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_mem Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834