MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
SHA3-384 hash: b35df92cd487236bea10a5d41b13a038c519ec48c61ba0801a7c52d16c89f2f03447bc52bf9d8598e39f175d48dbb8e2
SHA1 hash: 7283e9ff263b5753095ee6834394b1357d06c8c2
MD5 hash: 819d04631e10b61b212231ee093d9dc5
humanhash: speaker-snake-wolfram-friend
File name:819d04631e10b61b212231ee093d9dc5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'864 bytes
First seen:2023-07-24 06:10:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 795d5374158688612616ccbdb5ba25ba (8 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:ZwKz/vQXh3fy3goug9FOwXBX7PtVqWttOn/tpRQXzr8:SKzHyh3fyQZoRXjWG4fQX
Threatray 180 similar samples on MalwareBazaar
TLSH T19374E06272E0C033E66796315430D2611ABBBC325B7491CB73681B7E5EB03D1AFB9356
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0dec4d2d4d2dd (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
149.202.8.114:26642

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
819d04631e10b61b212231ee093d9dc5.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 06:14:10 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/a46b6d22-0002-463e-abdb-f445398fd0bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430575/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.542.15624.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/694e0657-d413-4e70-80b0-144ce6c83af4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278024
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 05:37:09 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ah77a3hgbvgbiww22gl4jxsuinoxoxqvz35qblidfgcc3l6sihxq._file
Verdict:
malicious
Similar samples:
0053d1419ec04041f1603063f4e7c0a6a370025de08a0bb69897cd6c757f1bb0
RedLineStealer
0c5d1c2c1f5bcb910d25419e87349bce28055b67de3ef6bd1e511a6b17290fce
RedLineStealer
572e60bad91adcc0711b6c93408bc73812d05a7485b0f2a5125f4e3af19dcba0
RedLineStealer
6b7ee0a57c1cfcfadfc414c782a371f8e3a29c75446a45c33b7a31e92e4ac802
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962
RedLineStealer
83172a05a1bf277edad661d291cf26ed197ff9917a878e00d980e6748e3541a7
RedLineStealer
8359a347a41ef75b7a1591d2bd81372d24e25aab079e08ab7185bdbb0948955c
RedLineStealer
8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0
RedLineStealer
+ 170 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230724-gxlp6aah6t/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
149.202.8.114:26642
Unpacked files
SH256 hash:
1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e
MD5 hash:
5b9e910f14c9664c591d075ccfdda0c3
SHA1 hash:
dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/875eb8ba-d52a-4008-a6f8-e2c7e2d8a147/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977
MD5 hash:
1170152a8e1dc3e4b9c38d8146362e81
SHA1 hash:
d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/875eb8ba-d52a-4008-a6f8-e2c7e2d8a147/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e
MD5 hash:
b9ac7ada76639bf533b86fc0ae86597c
SHA1 hash:
74ce4a5df518a85c44d5d51fd3213fd6da36940d
Link:
https://www.unpac.me/results/875eb8ba-d52a-4008-a6f8-e2c7e2d8a147/
SH256 hash:
ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9
MD5 hash:
3c81ebdb4f2dc1f98485343dfeaedce5
SHA1 hash:
0ce97f6e8d3cdac8b68329d57b4d16873d6ed167
Link:
https://www.unpac.me/results/875eb8ba-d52a-4008-a6f8-e2c7e2d8a147/
SH256 hash:
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
MD5 hash:
819d04631e10b61b212231ee093d9dc5
SHA1 hash:
7283e9ff263b5753095ee6834394b1357d06c8c2
Link:
https://www.unpac.me/results/875eb8ba-d52a-4008-a6f8-e2c7e2d8a147/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/01fff06ce60d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2688463/
Cape
Cape
https://www.capesandbox.com/analysis/430575/

Comments