MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b10851f0daf74a8ab20ba75d73f7ec57fd46c14af07a94b2ca09f19b93d5c6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	0b10851f0daf74a8ab20ba75d73f7ec57fd46c14af07a94b2ca09f19b93d5c6a
SHA3-384 hash:	91961cecd855bc2c94ce19c75208be610448f628edcc8d1384b86413fa7dfec8cc45ca6cd234970031b4d2d641b83962
SHA1 hash:	90f6c8205b879dc31ffd049b918d3562dd9c694a
MD5 hash:	b629504e838e018f87f5fcf985eebe48
humanhash:	zulu-blossom-network-red
File name:	b629504e838e018f87f5fcf985eebe48.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'522'216 bytes
First seen:	2022-07-11 02:55:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	726a22f55cf9e91b15fd25cd9f82556f (17 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep	24576:tzNHDwQYeYtMZrhDTMwpTKmd2Y5fHSau0RSx9QfGMUL/gbl3RuQ55313l:RNHO4tGYJHSaPRSvQfGMUzgbl3b
TLSH	T1ADC50A136ACB0D75DDD23BB461CB633AA734EE30CA2A9B7FB608C53559532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
101.99.93.104:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
101.99.93.104:80	https://threatfox.abuse.ch/ioc/824180/

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

b629504e838e018f87f5fcf985eebe48.exe

Verdict:

Malicious activity

Analysis date:

2022-07-12 00:04:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f63298e1-83dc-46c3-a7b6-3c90c2d3efa9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285970/

Detection(s):

Win.Keylogger.Fragtor-9954829-0

Win.Trojan.Fragtor-9954830-0

Win.Trojan.Fragtor-9954833-0

Win.Trojan.Fragtor-9954877-0

Win.Trojan.Redlinestealer-9955168-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/24979/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug overlay packed spyeye

Link:

https://www.filescan.io/uploads/62cb915481790e51fe55c8f3/reports/e3283cf2-0a52-4097-a186-d3c5c4076e3d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3058d492-47e4-4178-a617-abc04e482d6a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

evad.troj.spyw

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1028202

Signature

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b10851f0daf74a8ab20ba75d73f7ec57fd46c14af07a94b2ca09f19b93d5c6a/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-04 12:55:49 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bmiikhynv52krkzaxj25op36yv75i3auv4d2sszmucprtoj5lrva._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@hsm6666 infostealer spyware

Link:

https://tria.ge/reports/220711-de2f4sebaq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Malware Config

C2 Extraction:

101.99.93.104:80

Unpacked files

SH256 hash:

cf8b0437dc181b7d87b2f13349f692f21ae5c78189219f21bc99ba716910dcb8

MD5 hash:

81170e30763608f5d4278fbb11e816f2

SHA1 hash:

7517a09d198f67a4d6c8992f6725bbc1301a24ba

Link:

https://www.unpac.me/results/6b6abf25-748a-4b23-a2e8-144490054112/

SH256 hash:

0b10851f0daf74a8ab20ba75d73f7ec57fd46c14af07a94b2ca09f19b93d5c6a

MD5 hash:

b629504e838e018f87f5fcf985eebe48

SHA1 hash:

90f6c8205b879dc31ffd049b918d3562dd9c694a

Link:

https://www.unpac.me/results/6b6abf25-748a-4b23-a2e8-144490054112/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0b10851f0daf74a8ab20ba75d73f7ec57fd46c14af07a94b2ca09f19b93d5c6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285970/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample