MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
SHA3-384 hash: 5f2be9b7924d6abc8cb45553fb7e518f87b7a9359a361615010d58ffdbd633fcb9b8a02621cfa57a30fae265c3b962e4
SHA1 hash: 7a89e0f36268fac38e6cdbba2677c14f334a560b
MD5 hash: 803709f0596578ab83a031da335d1511
humanhash: twelve-mars-oklahoma-autumn
File name:803709f0596578ab83a031da335d1511
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:395'776 bytes
First seen:2022-12-24 16:49:28 UTC
Last seen:2022-12-24 19:29:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 81084ac57f5d38e75d3a63cf80f4122a (5 x RedLineStealer)
ssdeep 6144:gRQUMd4UvkL5kDhOM232DeAORnIcRz1rv2xjgl:gRRMyUvkLk2zIwVvnl
Threatray 1'887 similar samples on MalwareBazaar
TLSH T134844A26E781803EC4E1263619E396E5472DBF5305607B7FABDC46AB3E30E4091EE52D
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
37
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
803709f0596578ab83a031da335d1511
Verdict:
Malicious activity
Analysis date:
2022-12-24 16:51:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/1207f5b9-5972-4670-83bf-f6d32972f86e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.3323.20013.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63a72dbc629a35af1ab3c43b/reports/b0690348-474c-4b0f-8305-ecfe4b16f373/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbeab2e2-96b8-4206-a447-cf0d0f4a72f4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140500
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-24 16:21:33 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjuomvpw3ytsiwu5punvvdxvascimx6zqmyhr3hmfrdmgjd4prxq._file
Verdict:
malicious
Similar samples:
03ca2aaa9e5bbe7728bb69be32b347a12178e6376d5efbb7a7b0a228b70e5dcd
RedLineStealer
186bbf590210d8fd02e981a002c05ab018aaec5ecd9b6ba4a37b16ba2f47b61e
RedLineStealer
18b946d10fd3e8d8508fd47749aef1df080e2804b3457f2f4589da13065eaccf
RedLineStealer
217c469af3fe96773cf891fcdd050b71e8da6c29c55a2af173e80d265e444af2
RedLineStealer
465fba168502ed66e373db521f1c0dd93ce30e69d271528051390817977b4818
RedLineStealer
5b7fd8399f4d782bb4f08df3f4a04b3f580c8b64659c0de4c353b2c01bdb3db0
RedLineStealer
c06c0fdae71a40e7b8a804d29cab262bc0802db87a9d2d6db4b193d405a0d020
RedLineStealer
d78f10d9f1fc9f184a8fb7ab10d1683a9857be12a81e504f2389edde9203ab5c
RedLineStealer
f863b2eaafe78bd61faf02eda91f00fafe397b7accd0817f03ce68a355d625f4
RedLineStealer
fc0e730c9b09606eb09f91f39d9e780f005bd0f1674ee411cbb0de75acbe4bae
RedLineStealer
+ 1'877 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:11 infostealer spyware
Link:
https://tria.ge/reports/221224-vb858add7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
79.137.202.18:45218
Unpacked files
SH256 hash:
afd50f079bd873c5f389bf1a48f618ac97debc8f3e1856b9da204ea4f092af1a
MD5 hash:
55b837a7696044eda89bf237b37f37ce
SHA1 hash:
1e6c862f373fb90ee143bd68e7aca8079f1a7f24
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/b98b34fb-e74f-479b-b1e8-d2a4b3031939/
Parent samples :
f863b2eaafe78bd61faf02eda91f00fafe397b7accd0817f03ce68a355d625f4
c06c0fdae71a40e7b8a804d29cab262bc0802db87a9d2d6db4b193d405a0d020
18b946d10fd3e8d8508fd47749aef1df080e2804b3457f2f4589da13065eaccf
1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
99b7396773e11d0a1d44f674310025344f2d8c9d2813d33e9bd7dd35ac5f2360
9a48ec1ff7995f724b479d97b0fd21fc0ee9c6c1598a39192ec677b648087602
13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47
7f11a927ac9742f5b53973e5a198044f52c11af540c028ba81bf1b93ecdff4f0
728d0c12a4883b351dab40bfa2881a0dc967f9ff598384050da6c43d0d9bb476
8e2e0590b0418adf88d487f37a49107538e7e2d243f165845852c3f7ece6a337
3ca4879853a8f13a89473cb07e7ae77ab830abbf0ea5e09b3f525c5810b153b9
321b7072a0ea33c36933b98b6523eaf4dead69a8e90dc032f8a4b10cfb835b1e
505509de0eccbd99559118cc90f42f5618c68827d963394afdef810c7fc3b2f1
f80b159cd3d099a3e40ff671e2544df562639dd0cda61709f9e367288140e414
SH256 hash:
1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
MD5 hash:
803709f0596578ab83a031da335d1511
SHA1 hash:
7a89e0f36268fac38e6cdbba2677c14f334a560b
Link:
https://www.unpac.me/results/b98b34fb-e74f-479b-b1e8-d2a4b3031939/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1268e655f6de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2485197/

Comments


Avatar
zbet commented on 2022-12-24 16:49:37 UTC

url : hxxps://kondio-safari.com/2.exe