MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9
SHA3-384 hash:	8d9df6cd28e366584e758938ca20b29e5dac9aea25c1852e38e32a6bce1f3480af6d77f9cc09acec9941f76cf3fd53d3
SHA1 hash:	9dd49dfe95e28167574179bf82fed2d0070303fe
MD5 hash:	d60418a43374e93b8546d9a017364ba1
humanhash:	maryland-mountain-berlin-ceiling
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	198'656 bytes
First seen:	2023-06-27 05:00:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a3a98f4b8bad628ffa25a9afc0275971 (18 x RedLineStealer, 12 x Amadey)
ssdeep	3072:V7Iyj3xe0zyoImHgMVGERF+pLqa0daMVlj7XvVLM:6yjBDgMVGQG94l
Threatray	594 similar samples on MalwareBazaar
TLSH	T10C149D2C7B80F7B6DD201638055FC7DAA5E736310F369087FE9945660F902C5BB78A98
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc808950829_663396153?hash=UhBVaqu0JdFu31UZHjTXYTBVIY3qhpp9F0eW8N6KcQz&dl=D65CZG5RYNjuFbiGOvR8BnJLmXzsahaBQ0zRxuVmDAg&api=1&no_preview=1#11

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-27 05:00:24 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/d2338118-da59-4dfa-9020-e0a520863823

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/403093/

Detection(s):

Win.Packed.Convagent-10005012-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/92806/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/649a6d0e07c2007b16e6e8bc/reports/572f387c-ff55-4dab-af40-205dc91e5632/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d235f31e-8c5b-4d5b-8a56-513b32355125

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1261797

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-06-26 08:23:04 UTC

File Type:

PE (Exe)

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=amhojwbfdajzuimab2ggsrxuntbfdaq6tjzyu6gpziykddyotcuq._file

Verdict:

malicious

RedLineStealer

2f2b97ab77736a86eeb79599be1137c99befab80ba2d1af6a19a9f5ee664fecc

RedLineStealer

348021154da50f07357caad1ff21d7661aa032a18b1b1be5081ab5f9009790c5

RedLineStealer

67a95e8478140adae734fd001ef1604be1370201df0c7897c42fae643730c7c3

RedLineStealer

7b8e8d674ec79b796ea7fd9925305d4a581ea173d70857def96bf5a347c2b55f

RedLineStealer

8cff02b8ebb50f1e9719494a53057017da3de1f7d1cf1a17d3df8614d2a6962d

RedLineStealer

9f501e75fa1f86aca08cecdd4b3fe11676a0aebac9f34cbbbfb12f43a2a075ec

RedLineStealer

be32eef2edd391e6ba9c877a7181c667e4791a7899ee054097605daf707cc346

RedLineStealer

c4cc00b65af58598157eee87eca86b64de4138a3b449883ea3c1a0c33c3287c1

RedLineStealer

ea37edd70819ab94e9e78196fdb84a276c1e70238cd8c83581fc224898c86664

RedLineStealer

+ 584 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@ytlogsbot discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230627-fnjnrsea41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

176.123.9.85:16482

Unpacked files

SH256 hash:

f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

MD5 hash:

dc0d6257af6ac44eb10333a282b0f738

SHA1 hash:

a749e2c90b313174a91a6e51db6bc8e6dc00f37e

Detections:

redline

Link:

https://www.unpac.me/results/f0409f95-f4f7-453a-ad0a-4d172d1be460/

Parent samples :

030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9
fd31a663216bfb8143db8ea956edda60157228e4e26abd15724d28e34f435c66
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1

SH256 hash:

030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9

MD5 hash:

d60418a43374e93b8546d9a017364ba1

SHA1 hash:

9dd49dfe95e28167574179bf82fed2d0070303fe

Link:

https://www.unpac.me/results/f0409f95-f4f7-453a-ad0a-4d172d1be460/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/030ee4d82518/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2665229/

Cape

https://www.capesandbox.com/analysis/403093/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample