MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710
SHA3-384 hash: 62a368322c5a2bde36a0dc59a1aed985799af73e143a5d9503a5207082a2b0cbd9b2464922ea0d4fb493604f5c7b391a
SHA1 hash: 886197dab44fe9b28488f8f1ebaea281995066db
MD5 hash: 079504fc0f862bd423da6035a05d3051
humanhash: autumn-illinois-potato-green
File name:PurchaseOrder260134.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:548'352 bytes
First seen:2022-06-08 07:31:17 UTC
Last seen:2022-06-08 08:42:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sqdJVKTFwPy5OXYkArMibLkwO8qaeEqbYoo7OvrCvbo9q:BPy0XY8EkkeEqho7OvrCvbo
Threatray 1'187 similar samples on MalwareBazaar
TLSH T154C4012433ED07B2CA7D1BF984A8014147B1AA37A51BF34D5E8176EE8E67BC0CA56713
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.93.189.133:14851

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.93.189.133:14851 https://threatfox.abuse.ch/ioc/668873/

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
PurchaseOrder260134.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 07:36:27 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/b92dc681-2919-4ad9-bd95-864ea4deab5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277632/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.6932.19397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62a050b31fdbb8e831481e0d/reports/214004cc-4cba-4d4f-9566-bccc50de76a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05aedc32-9620-4e2d-b497-d2c272f2ff95
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/1008773
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 07:32:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5wltcazybwosyar37sifnhv5pmrguouo27obvmkxg5ikfs3a4ia._file
Verdict:
malicious
Similar samples:
00509d2de60dcdf523ea44b90e5dbbb510f6298bcd9810686ea625d33160176e
RedLineStealer
10fd06a398a69a6ed619974bbde91c9868e0abc9cf0bad3b38ce1dc7d3dc1ae6
RedLineStealer
26179d1a09bd8ba828aa47a001dfc66df53a6ec1138eae15ae067b19db45b2cf
RedLineStealer
32252e51624f449f015636763feb4a6eaaea3f7ba436a217d9d1aae348529de7
RedLineStealer
4c0f2de97826d56bae2c4af31cd01c4b68515433943918af1f28889587fa13f1
RedLineStealer
8397c04c6cebbfcb4ffbc18722a72e8485626304db1fb5c83875e1d64b873a23
RedLineStealer
9e6168b2963d8a01b080552dcedf4260d62d0ee643cbb33d5461bd23369d12e3
RedLineStealer
a40edc7cd33020f9e1b599da3356fdebecd7ddcf26081aa028d42873ea882916
RedLineStealer
b0e427b8e2db98edeea688cda0c6b0e33f936fae3a7b09b529a85a6190083df4
RedLineStealer
fb13f5302756081d7dc2545468beddd187e44de679d3a776c62298bc18cf28c8
RedLineStealer
+ 1'177 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nuu discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220608-jcyv4adgaj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
172.93.189.133:14851
Unpacked files
SH256 hash:
191220cac35fdfd19b85ca8d7346669579b55a06a1bc1fb6211e07262369f881
MD5 hash:
e19d81cc037032e61f6a5c67dee16dd3
SHA1 hash:
e22bb8ac69a87f2d011bcf691db44d1cd1de5913
Link:
https://www.unpac.me/results/175c69fb-0517-4011-b8e0-c0c15de19dc2/
SH256 hash:
6d963a5d8e56d55fcb8f255a96e96e4893003523147afea0bed03db21f66a92d
MD5 hash:
bef27295f6094e35eaf2fbc029f632ee
SHA1 hash:
7ef56bc563772843ffdf7fcb87dee3d5562fcb44
Link:
https://www.unpac.me/results/175c69fb-0517-4011-b8e0-c0c15de19dc2/
SH256 hash:
2bf7fb4b1ec94b7048fcd8047e64e24d59eb6b7689aaa78c1fa37aa3191bb877
MD5 hash:
caf2094f1b306468ffa6a507a7f490e3
SHA1 hash:
5a346a13784088f1cf212d0206ad84682f376e30
Link:
https://www.unpac.me/results/175c69fb-0517-4011-b8e0-c0c15de19dc2/
SH256 hash:
686a805240da359294c9a0359a3679134bebcb1acbea7bba0951773dfcd2194c
MD5 hash:
2353848e8c009d862284f173c3625be2
SHA1 hash:
0dbbe8d2e1ecfc4643797c69dd972795221e9baa
Link:
https://www.unpac.me/results/175c69fb-0517-4011-b8e0-c0c15de19dc2/
SH256 hash:
0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710
MD5 hash:
079504fc0f862bd423da6035a05d3051
SHA1 hash:
886197dab44fe9b28488f8f1ebaea281995066db
Link:
https://www.unpac.me/results/175c69fb-0517-4011-b8e0-c0c15de19dc2/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f6cb98819c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277632/

Comments