MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5
SHA3-384 hash: 6856d07e629161000b022859c024504044f85990cc75bf38e53cff40316afcc938241d5517a43ce5db7aa46f99b088ae
SHA1 hash: 9c3f77550af38239cd96c487c3c81dab612fe2be
MD5 hash: 1b2ce585b75dd6ac4252f0c5d81bcc47
humanhash: lamp-potato-hotel-undress
File name:Valorant Skin Changer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:329'728 bytes
First seen:2021-10-15 21:35:08 UTC
Last seen:2021-10-15 23:19:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d86b72152e3eb79509e879927a109d7c (3 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 6144:3xPOAfsdY0LoOaYo7jaO00ssjxAOD99vINmo+I2NiJ3y:3xmGsdY0LoOaH+NB+hsly
Threatray 94 similar samples on MalwareBazaar
TLSH T1A064CF6079D1C473E87215310AF4DBB94ABDBD200B6059EB67D85B7E4E302C2DA31A7B
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Valorant Skin Changer.exe
Verdict:
Malicious activity
Analysis date:
2021-10-15 21:34:39 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/79053cf1-06a1-43f8-a6dc-01f8fb1e0d74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197818/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.23991.3598.27198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/558851ae-507c-4bca-b2ee-87317ab56373
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/871364
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5/
Threat name:
ByteCode-MSIL.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-15 15:15:20 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmpvkdk4urjzdcsgo6ky42p6quevcer7hpdymuf2fsmpz5tih62q._file
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
RedLineStealer
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
RedLineStealer
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
RedLineStealer
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
RedLineStealer
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
RedLineStealer
a4ea8ccb32a746e3315e35d366246545d6475dc48e8e43cf92da45bf5de0fe7f
RedLineStealer
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
RedLineStealer
de74006a23319ed5aa596ee8e047df2a6823fecdb9e0f4a5298418e665b56564
RedLineStealer
+ 84 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@joindsa infostealer spyware
Link:
https://tria.ge/reports/211015-1fxwmsbee6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
164.132.202.45:20588
Unpacked files
SH256 hash:
1bb1dceb3067df4c02e9d860a3c2666e040e3c5ff0455884ca5c54da7fefd0bd
MD5 hash:
fda1d2d0cb3af6c13022ca1534297354
SHA1 hash:
2ab4c437f9e458494c3f54bad1e8f252e8d2165f
Link:
https://www.unpac.me/results/c0f218bf-8e49-4aa6-a40a-6b9820f59cec/
SH256 hash:
0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5
MD5 hash:
1b2ce585b75dd6ac4252f0c5d81bcc47
SHA1 hash:
9c3f77550af38239cd96c487c3c81dab612fe2be
Link:
https://www.unpac.me/results/c0f218bf-8e49-4aa6-a40a-6b9820f59cec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0b1f550d5ca4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197818/

Comments