MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad
SHA3-384 hash: 8e3e4bc07db4264ee940c606845d6ea8c38d8974fc43869ce3bc90965f7f4e78cce1085e8d59669b8bce91cf1293f6f8
SHA1 hash: 67d948d941345df1d16c97fd932822cdbf719608
MD5 hash: 926f7993c4a8f0026c2a24747f4864a7
humanhash: sink-lactose-mirror-missouri
File name:926f7993c4a8f0026c2a24747f4864a7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:312'832 bytes
First seen:2021-09-07 06:07:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b740348189b21a2cbef41493dadcafe4 (7 x RaccoonStealer, 5 x Stop, 2 x RedLineStealer)
ssdeep 6144:uF2nAp5pdq7ISlTPrPeEW8D/Up/i9wnF6pzj/lv9:m2nA3pdq1TzPfjUCwF6pzj/l
Threatray 2'522 similar samples on MalwareBazaar
TLSH T1BE64E01D3E9CC432C686D6740475F6A46A79B831DD64C18F7F24B71E2EF12909A323AE
dhash icon 81bcdcac9c8cb484 (7 x RaccoonStealer, 5 x RedLineStealer, 2 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
926f7993c4a8f0026c2a24747f4864a7.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 06:16:56 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/c30e14bf-77c7-4a06-9599-5bc153b96a84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185855/
Detection(s):
Win.Malware.Babar-9891171-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/926b4491-b826-4d0b-9275-8c54462a4892
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/846534
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 03:47:35 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74hropfg2j7bn42mlcbod2smk3lshzico4w5afngplfogmdfqowq._file
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220
RedLineStealer
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
4f95ff3d34492ddb8ca5afcc1c0940c1156bb713d9278678bfdd1c59963a3070
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4
RedLineStealer
c033668e5a3c82e261b344df51117a1acca8a6eda9668c4fd854d5af8e6681a1
RedLineStealer
+ 2'512 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:uhd_555 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210907-gvylyabhh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.119:15548
Unpacked files
SH256 hash:
c48f073a70092f534c8539d1e7d82c599aaedef8cba84d71975d396aac95d2dd
MD5 hash:
a95a915c16f6832e80a0e078e1eb3a88
SHA1 hash:
9f6f0576bee793e6d150b179166dbe560a5012e6
Link:
https://www.unpac.me/results/f4a1684c-fae3-4100-b111-dde0514228e4/
SH256 hash:
257cc08bb0bb0bcee139fd4c8eb4c83ca634c487348e2e1a5d03a22245185609
MD5 hash:
1c559e373cdbeebe32cb8167eb7cc3bf
SHA1 hash:
2b9067054fe76f776cd674790e919eccf58544c5
Link:
https://www.unpac.me/results/f4a1684c-fae3-4100-b111-dde0514228e4/
SH256 hash:
323e16219ddd5870f9dd0e6457e46eeb7cc0d0245284d54b7384838ba6a75c86
MD5 hash:
2b7646a4ac5984b74faf2be197074781
SHA1 hash:
01c9ce40dde2c4fd6b9b70ba71d943c79f4ea0cd
Link:
https://www.unpac.me/results/f4a1684c-fae3-4100-b111-dde0514228e4/
SH256 hash:
ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad
MD5 hash:
926f7993c4a8f0026c2a24747f4864a7
SHA1 hash:
67d948d941345df1d16c97fd932822cdbf719608
Link:
https://www.unpac.me/results/f4a1684c-fae3-4100-b111-dde0514228e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1591434/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185855/

Comments