MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
SHA3-384 hash:	6b30695c95694e8f67509069f7517c9a757a0dd108776d858ec08191435b90e24c0175cb2517aed48003605801090034
SHA1 hash:	1f8ca54bad19db55ce4ad3859bb121cc9930ce37
MD5 hash:	445848ebcd727582d7365eba20812d11
humanhash:	alpha-sweet-jig-sierra
File name:	445848ebcd727582d7365eba20812d11.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	425'984 bytes
First seen:	2023-03-07 13:35:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0796fd4d2678f1ac0c3dc6d4697501b (2 x RedLineStealer, 1 x Smoke Loader, 1 x GCleaner)
ssdeep	6144:O84aULA1+WBEERll/lNQ53aNw7cOv+hXnel9tuC3LdkTP:OzK+WBtlYKNw7cK+hXiXV3a
Threatray	24 similar samples on MalwareBazaar
TLSH	T1AF94F02276E0C072E69715345974C7A66B3FF532663182CF3BA42B7E1E202D19E7631B
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	10c6ccaa9296cc58 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

445848ebcd727582d7365eba20812d11.exe

Verdict:

Malicious activity

Analysis date:

2023-03-07 13:37:55 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/34682962-c5db-4b31-b79e-3ea02a050fac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/372270/

Detection(s):

Sanesecurity.Malware.28986.BadIN.UNOFFICIAL

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/64073dc786426ca5a86acacb/reports/5ae271bd-876c-46bf-b7b5-c65781f74348/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c55c020d-2028-4b78-8c05-884bd177149e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189047

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2023-03-07 00:56:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cebvu343fskaa2fvwoq262wqbuyajeeg26eayg2dwwtqphp5ngna._file

Verdict:

malicious

Label(s):

cobaltstrike

RedLineStealer

0b857f695ac9881c7e664fd00dffb30381bcd51a2d5a4e8e9877c142aa5774d4

RedLineStealer

2487cb55ca95b48878951f446ad9bad2e36c7e0fe13861c56760dba446e1b3ea

RedLineStealer

3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

RedLineStealer

4fbb67c0ef74f07ac1b31dba5d136938735bbd00544d27b4931a4a79e12f1f5f

RedLineStealer

5b8bb17865111cb338642724d7f972b001f45a9605d6711a318fe4fe499f1d63

RedLineStealer

7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268

RedLineStealer

820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419

RedLineStealer

957b7f7039ef6b3c84f374b6b602466cb196e50e477a37e012423b7a9d72aa7f

RedLineStealer

e0655ce959cf315b005873a9716ec993c0d45805a439793fe2beec0763f15485

RedLineStealer

+ 14 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230307-qv8xcaab74/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

de61cf25202e6b74967ad446111c516c50695c36172452da3bef94d68d3fdd7a

MD5 hash:

558eace0ceabd8b25d590be8966a58e7

SHA1 hash:

ca4df41956f1ca42db197dcf1c0d469ba3e16a8d

Detections:

redline

Link:

https://www.unpac.me/results/517ece40-ccbc-4559-8e1f-873df3f5b629/

Parent samples :

6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0

SH256 hash:

db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca

MD5 hash:

9dc3abbfdcd1bb7cafb14a35b60d6713

SHA1 hash:

6aacaf8c94121006562f4a013283741340e99693

Detections:

redline

Link:

https://www.unpac.me/results/517ece40-ccbc-4559-8e1f-873df3f5b629/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696

MD5 hash:

bcc57bbabee21070c3b1c1c0d6549c1d

SHA1 hash:

374f18b741a610c8d532d793c52e2aae22fc7856

Link:

https://www.unpac.me/results/517ece40-ccbc-4559-8e1f-873df3f5b629/

SH256 hash:

11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a

MD5 hash:

445848ebcd727582d7365eba20812d11

SHA1 hash:

1f8ca54bad19db55ce4ad3859bb121cc9930ce37

Link:

https://www.unpac.me/results/517ece40-ccbc-4559-8e1f-873df3f5b629/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/11035a6f9b2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample