MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2
SHA3-384 hash: 0ee6ad4611bb4d3faa69ee3264d88c476b27a6bb1c3b5b7f5887b31fb1940998549bc91a9d5d65c24d29cb2456264295
SHA1 hash: e179e80279f140e2a9e5b3fd02336d05d8e73222
MD5 hash: b67a9c5d3a4835ab1d33807f817f5225
humanhash: failed-spring-friend-lithium
File name:Software.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:746'768 bytes
First seen:2022-11-27 02:47:50 UTC
Last seen:2022-11-27 04:27:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b8ae36a1e4e2951b7d5c273a6b80116 (1 x RedLineStealer)
ssdeep 12288:nEEBPVUKWuqGSavBubljGVWuw1QtPa7CRzB0SICetV0Sfp8Fagot:9PCKLqGSYYR2lwe3tB0SICI0Sf2an
Threatray 35 similar samples on MalwareBazaar
TLSH T197F48C33F284743FC1361B3A596B96B5983BBA156A161F775BF81C0C3F382813D1A686
TrID 47.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
14.9% (.SCR) Windows screen saver (13097/50/3)
12.0% (.EXE) Win64 Executable (generic) (10523/12/4)
7.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Software.exe
Verdict:
Malicious activity
Analysis date:
2022-11-27 02:43:18 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e6becd8f-7c2b-4137-b7e5-7d5acc5b0b20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338920/
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6382cfe394f9bac087b37839/reports/f47d9b95-dc22-4013-8621-7e12ff5c4392/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4e621fb9-7b63-449b-ac0c-e1d84d1e9622
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1121777
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-26 12:19:57 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gktmvxmkpvdbk2c3mqm6ugat7jrryqcj55fmgdyxvfkrf3tnlja._file
Verdict:
malicious
Similar samples:
050505c077b590adaa0dde0669639616828ffd3e5ced0cba3a94d3c13633195d
RedLineStealer
185162ce404a5fa9310340b9c39516ab09073c1460dfc1dd066541c1756563a4
RedLineStealer
4450df031fa2a81d17c5278b0542aabe3b05c0ad0d7e103c1fe8121b61a9ec65
RedLineStealer
73d9f62c6cf3a9747c7327cc2630207f1d884399dc51ed9f40aa12979ff789a6
RedLineStealer
8ae4f12915cd0e748df3991eb25611f475c233aeaaf865ae3ffd42cca2159ca4
RedLineStealer
be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7
RedLineStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
RedLineStealer
e882307e9daa68c915a83adb7a7a0e0e8d9c137c6544c964dc3f05f0f7af64a7
RedLineStealer
fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2
RedLineStealer
+ 25 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet: milliondollarbaks discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221127-dafc3shb9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
89.107.10.166:28387
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/46ded7c3-e827-450f-9b89-a75feade7a5e
Unpacked files
SH256 hash:
9016e11f29dfbeff6b44069a43158a04f97f5f7491edbfcb55e485f8acd1d7e8
MD5 hash:
6fbe98f01f7265eb9cf377b100561b70
SHA1 hash:
dbe8fad812d6f2af27945f5cec0c932bfd15e6ed
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/16d8f0be-10b2-4e05-9f65-909cd2beac63/
Parent samples :
d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2
9016e11f29dfbeff6b44069a43158a04f97f5f7491edbfcb55e485f8acd1d7e8
SH256 hash:
d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2
MD5 hash:
b67a9c5d3a4835ab1d33807f817f5225
SHA1 hash:
e179e80279f140e2a9e5b3fd02336d05d8e73222
Link:
https://www.unpac.me/results/16d8f0be-10b2-4e05-9f65-909cd2beac63/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1953656ec53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338920/

Comments