MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
SHA3-384 hash:	1eddad8591cc3d4956bb81327e80caf435623e37943bfc5f07c5f9dfaf610e6d4908f46b16be3d2103d13372f73ed29d
SHA1 hash:	27773d260e12fc5880cd15f0ed23d33a14c2a6a2
MD5 hash:	9371abde35861993bc930824182d5620
humanhash:	grey-island-delta-rugby
File name:	9371abde35861993bc930824182d5620.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	427'008 bytes
First seen:	2023-05-19 12:50:56 UTC
Last seen:	2023-05-20 14:50:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	33ad97a6371f251a2ce2085c8f9feaea (2 x RedLineStealer, 2 x Stop, 1 x GCleaner)
ssdeep	6144:+J47ueRHzsRuKxdy9yi9QsaRUQKA5iUTZPPYHf9W3Mtw+JkDdKS93Tu:1uepEul9v9taRh5ioZPPUYz+SR1Du
Threatray	38 similar samples on MalwareBazaar
TLSH	T184948D03D2D1BC63EB2546728EAEC6E8765DF9508F0937D722186A1B18701F2C97E736
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	4418848080a82800 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.81.68.115:2920

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

9371abde35861993bc930824182d5620.exe

Verdict:

Malicious activity

Analysis date:

2023-05-19 12:52:00 UTC

Tags:

installer rat redline

Link:

https://app.any.run/tasks/4bbf2321-681b-4ce1-87c5-20bc45b054a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29322.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/646770b76afc92605683e38c/reports/8d57a96e-5587-4b42-a13c-9c7b7fa7ce1f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a232438-1026-4891-854f-308840e06d1b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237198

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-05-19 12:51:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bllcnmsrjqhazy5bcwfx27qxv7xwvmfpzgc26s36rs53y32dmuaq._file

Verdict:

malicious

RedLineStealer

1e6feb0749b0cfffd2e085d364667c6040cf008a59b0831a74c82db2256055b6

RedLineStealer

6e9f1b1fa3c2d1dd2a2a8d61258685c64ce1fb38a84ba281fa7c07d59225ef10

RedLineStealer

6eb109c50d1a989cd368291c412b7b099f18be773902c7f459faa9f7e5071452

RedLineStealer

727df79548ea43456317931d6d2afdc98a84856bd1d6779c0dac4d4bc5d3c49c

RedLineStealer

83330099d98691d7270580d13df1175cdedb1f47c412454901026234d090f051

RedLineStealer

9893ec0e2902925018922ca40cc3495001dec4ccd32137cc13566c74bd1438e1

RedLineStealer

9fe8b148afef5e54b88b76beeccaef42ae37b6387d38fcd8cbd7d509a9f90b40

RedLineStealer

a0e4515ee2de51f5ff5a41b03fd7e993f075c889f297d63143b1620cdcf9d9db

RedLineStealer

f63bd7fab9ff14672d85019df531f46d3b67eea1ceb56c76eb89a0bff68679e7

RedLineStealer

+ 28 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230519-p3gmdsdh89/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

6d387b94e0120a94ab745ddd68cc5531b1137ec954afdf23bd3d4f571e36aa13

MD5 hash:

b976665d8b48fafb6a7d6dc535afd519

SHA1 hash:

59bcf224a78259bfe4cadb1c31407c574f2c22b5

Detections:

redline

Link:

https://www.unpac.me/results/7db3927c-ecbd-4dd2-be45-3a36834af56d/

Parent samples :

0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53
1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223
d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
2f745b7e0fd4a560ae3519285a02388f8264fc2b68e3dbe217683515b65a754f
3101f6b59315da1a8b0024755a66e13319634e51bc695ea60361c1be51cddfe3

SH256 hash:

abc681771581e32e28a2873bc6c5fac1f22793524300c207e77d3320df8ff4ec

MD5 hash:

f16c9d9a049a0b987a725ef0ae618927

SHA1 hash:

5745600576f586b53b57d6fc668e7be0a4d0b119

Link:

https://www.unpac.me/results/7db3927c-ecbd-4dd2-be45-3a36834af56d/

SH256 hash:

a785a5e1f0472823df00c77373037df82aa490ddc3b52b5bb1bc42629dcbf03e

MD5 hash:

1df5f40f2337d55b5c31203e3ba87efe

SHA1 hash:

5171dea6a222b51109d9f926629ae6cb785ec7a8

Detections:

redline

Link:

https://www.unpac.me/results/7db3927c-ecbd-4dd2-be45-3a36834af56d/

Parent samples :

SH256 hash:

0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501

MD5 hash:

9371abde35861993bc930824182d5620

SHA1 hash:

27773d260e12fc5880cd15f0ed23d33a14c2a6a2

Link:

https://www.unpac.me/results/7db3927c-ecbd-4dd2-be45-3a36834af56d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ad626b2514c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2604056/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample