MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 065cbf8a5650089f83b6187da6fe90741e5b8c9d645159c4c42480ac8734719b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	065cbf8a5650089f83b6187da6fe90741e5b8c9d645159c4c42480ac8734719b
SHA3-384 hash:	a7d65c473c1271d2d20fe94c68b577eca635bca6e7be1c26d79e849a0550a5dfbcd520551ddeb101a5afc33f97f1e82f
SHA1 hash:	f35d071156e81ffc48f6b953754bac20ef4fb318
MD5 hash:	c296e11ddc734939a1b44be2deb19f69
humanhash:	zebra-vermont-yankee-muppet
File name:	c296e11ddc734939a1b44be2deb19f69.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	250'880 bytes
First seen:	2022-11-20 06:56:22 UTC
Last seen:	2022-11-20 08:37:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	19f81fe756f31ae8a7d11110e6e81c7a (12 x RedLineStealer, 1 x LaplasClipper)
ssdeep	6144:qrNrKSzixoeEgMCtjLctzA1jqb7ZdGWDzkCuYqLB:wrKKiee1tjLctzA1jqb7ZdGWXNuYq
Threatray	1'496 similar samples on MalwareBazaar
TLSH	T10E347C127484B135E6EDC7FAD8DD6E56497F63E1278122CA1149170D06E23FFEEA830A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

349

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

c296e11ddc734939a1b44be2deb19f69.exe

Verdict:

Malicious activity

Analysis date:

2022-11-20 06:57:57 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/eafb22ae-ca51-4135-8bd3-8bda088925e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/336319/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.9931.17883.7530.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6379cfbe2609334c72c1890e/reports/0b196db6-e647-4659-9798-68e25127707c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/22a215a2-6514-42ee-9fa4-b7f9f8487709

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1117485

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/065cbf8a5650089f83b6187da6fe90741e5b8c9d645159c4c42480ac8734719b/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-11-20 06:57:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=azol7cswkaej7a5wdb62n7uqoqpfxde5mrivtrgeesakzbzuognq._file

Verdict:

malicious

RedLineStealer

4709fd98726279f1671ff8486d4dbaa7d475972599d50740ca606248d13f904b

RedLineStealer

9746de42e598888d36496f78c8cdb7145db4fa524ab4fa924ce7e2d19480731c

RedLineStealer

c3c9d57b69a22007ac8f0d953dd65a969ce5cd5b28bf32f01348d4c39d04cc97

RedLineStealer

d99b7f70d1451c0ac595420b2fe983ecda625c47575ee4a24e786dc440626a55

RedLineStealer

f6e87692e433ad1d832706b4ffb04db9be5324aad182dbaca8771532dbd8ab43

RedLineStealer

+ 1'486 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1 infostealer spyware

Link:

https://tria.ge/reports/221120-hqxphsbh33/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.196.94:48705

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6811e7a-4f2f-4c62-afca-c62841f32240

Unpacked files

SH256 hash:

b8d3443f51baacb4a4b27394b459f19079cc47fa9c9a612cdfc5f215312d912c

MD5 hash:

c611f6b91b7975d5606006e38be8dcff

SHA1 hash:

70faa6e698a02f14423c64fb00c4b699d35bdb58

Detections:

redline

Link:

https://www.unpac.me/results/f99118d6-12ea-4920-a175-ddde32104941/

SH256 hash:

065cbf8a5650089f83b6187da6fe90741e5b8c9d645159c4c42480ac8734719b

MD5 hash:

c296e11ddc734939a1b44be2deb19f69

SHA1 hash:

f35d071156e81ffc48f6b953754bac20ef4fb318

Link:

https://www.unpac.me/results/f99118d6-12ea-4920-a175-ddde32104941/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/065cbf8a5650/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 065cbf8a5650089f83b6187da6fe90741e5b8c9d645159c4c42480ac8734719b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2426902/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/336319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample