MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556
SHA3-384 hash:	162dcf8b70beea00974142874b021c6a09b09c3ffdf7fe439671be33a94d3ee1ce75374cd14431f07e80a06d7dca11ca
SHA1 hash:	f71f5b338bf1e1e957268e8d0b64e9303aadd000
MD5 hash:	6de4a60cb2f6e4e3a7c79d9a332b1b86
humanhash:	sixteen-iowa-tennis-nuts
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	222'208 bytes
First seen:	2022-11-22 21:55:58 UTC
Last seen:	2022-11-22 23:30:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f889c281b8c32c3abe6d39de60b78eca (19 x RedLineStealer)
ssdeep	3072:yPwov690foGrv4ETyre2xRc0jqr76OlnA9DMpYU4KZe8JbJ3Yl6PR+cpY8jwpS:yP7v00foqwe2xrjq6O4MJ4bM5Y4+cE
Threatray	1'579 similar samples on MalwareBazaar
TLSH	T13A249C1774C0B131C49FC6B121954BE6003FE6B327F6960BA30C5E1EB6615EA63A2BF5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-22 21:56:45 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f5aa1aca-d995-4b00-814d-8226ddd2a50a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/337364/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.125.6961.23244.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a window

Connecting to a non-recommended domain

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/637d45739c57db591d88bfd8/reports/b8a32ef7-2aea-4067-9edb-516d82e3b1b7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0ecd09b-f55f-47d0-a90d-8604054e086f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119275

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-22 21:56:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ac3o3cdekdopfcw4faffrjxabqyxn7iuyd7cc3mv7vwrrokhcvla._file

Verdict:

malicious

RedLineStealer

3e3fa8c5f5cc4ff95f439d86a4be759fbbc124e6655210d887459137d1c989db

RedLineStealer

3f37bdfc487c25b9a7b7ade0574a221cbc4c6976f8d5b46a2bcf08f6c0c5ed96

RedLineStealer

46e18fad13ebfad29bed81f274e06e412972bf4ff5a30785cf7417386d16b50a

RedLineStealer

57bf65723e2e88cb15192a635854f6206d608dee41e2767a4e6b56d9f930dba8

RedLineStealer

b3e14be741aad18d69038dfff3faef9f99a0974df8d7032fdab383a30cadbedd

RedLineStealer

+ 1'569 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@madboyza infostealer spyware

Link:

https://tria.ge/reports/221122-1tb64aad47/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.106.191.138:32796

Unpacked files

SH256 hash:

4d13d06d716a80fce5a93547c34cca425473f462ff00a79f7ae1b8ab7db6a5b0

MD5 hash:

7d0bf0ede21d398b4a65e556a1edc433

SHA1 hash:

9174da73bfe26cd61eaad6ae078f11300891db2f

Detections:

redline

Link:

https://www.unpac.me/results/4291bd84-e744-4b82-adfd-f4aeb6900564/

Parent samples :

323a424031828737354285bc660d6333754fe9ff077d1214129d598024de8c14
548e9a18cd3b0202cc2542091ec35d5b72b7966865e9472025b6485bd1dfc7a9
b629a616c8b459f587ecfa6507efa841df3984fa0d8525cbdfbec4ba7e66aeac
900340be52f1ec06c16e249327f413454ffb4e5a0df9caf880dee1236f18f8c5
54f626a76890bd100e866fefe7daa21b253760d180dd122e99e5cf86c345c39b
9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f
f02358a4229085fd7b5da0b923b6dc67244099c1da2acf2eb1f696b905b2b7b6
a3db3a64098426a931442a40b114d188f09b4895c54dd5e57e23356c14d85e0d
9ef2d217d94bbd09b8a51941218fb62465801107557be2cbd376263ee27f4082
7e0a00f8d6ce93d96f887fc2372e24117e2b5c425c415842e7b4e8051ac03eae
a5833b3b40cdc6def671953c3a8075b3864e068e1d9b3dde5256380dfa6315bd
b57a603bb9ffb091e81dbad33fab9d7840b56ce0f2584b3168f79e5909dad331
efcc04f8e872488d642bd288dfac2f078d611de316770fde47d1dc9a0e76aa84
9158b433505974c8a6db1f168c19604f60e46ed79f6981d8dbd42d49c1078a98
4709fd98726279f1671ff8486d4dbaa7d475972599d50740ca606248d13f904b
9746de42e598888d36496f78c8cdb7145db4fa524ab4fa924ce7e2d19480731c
2f067abf432e132947018cec390ed0a6a552a32f77bdad852d1adb75266c2e58
d99b7f70d1451c0ac595420b2fe983ecda625c47575ee4a24e786dc440626a55
55b090bf222bcc1520d72defa7cb7f93b78909fc77c261151a25a2970d0a5cbb
328d1ecec81fbe3bb0d9a76226fd8d7f555c0dc6a4107a05428fe27c2869fbbd
b50afa7b5584104dd0f93b85a448feb12c14a7f10b256071e47e90603b8b6280
415429a768dcd1d4a24bd7781f16f7814aabd7f6aeb6a5fa312218bede547160
7ca931c4fdd7c8f42528877186dc718896508c98d2cb7346a956af2f7ad26a3f
b8eae4aa0ba655621dc231943e732fa0d5399a4a255b7b6652d06275d3d2f4ef
e9cbe3213f2d0d3fbe2d69e387de540abb36946b92a6aaf62b9d8c3f702dd947
a444b1d644cef528fcdd3cf1ab763e2aaadf794b64b1eeb960679766bae92c75
762d455a078d13b6b89bcce46db81dd3e755055bf499e856911fe542c7fd8d83
b3e14be741aad18d69038dfff3faef9f99a0974df8d7032fdab383a30cadbedd
00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556
200bb7cb4ff972ed61d1f4d6b2893dc611e8aa1005bbba8b28d1b7e56f6677f4
1c1b1d19e8811b999d628b5af81dd2bc87e8da7d9339b97af4511346b4d6ea3b
4268a707cdc42b0b2543831ff435c280efbab5dc7424bb519bc9a1f3ffaca9a0
22932ac12c61f7ade37d16a82ad02d08259263020f4a465d15f2830fa03df12b
55bdc0f9d7483995f5ec82f3bb8d528815cf80cdc1a35dabb674e4abdf25ed1c
74d80d553297cc9c8d4ef2429d304d22df0f704010c897843e09bd80354c2646

SH256 hash:

00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556

MD5 hash:

6de4a60cb2f6e4e3a7c79d9a332b1b86

SHA1 hash:

f71f5b338bf1e1e957268e8d0b64e9303aadd000

Link:

https://www.unpac.me/results/4291bd84-e744-4b82-adfd-f4aeb6900564/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Win32_Trojan_RedLineStealer Create hunting rule
Author:	Netskope Threat Labs
Description:	Identifies RedLine Stealer samples
Reference:	deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/337364/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample