MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
SHA3-384 hash:	11ab04c4e9f8065aa9ebe43923e9f5c8d28fa2290db4014d23d634ed06446bd0362232ca0a28e88d61e17b0355d92d93
SHA1 hash:	35db03d22c00f45c1c88985c326118290cdc1e62
MD5 hash:	237f002316e142ac4e7b9d31e8585c00
humanhash:	mockingbird-ceiling-avocado-arizona
File name:	SecuriteInfo.com.Win32.RansomX-gen.26190.27462
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	359'424 bytes
First seen:	2023-07-23 04:27:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cfbfd8ca3fe61cf1ac99b7bb15f4a1e5 (4 x RedLineStealer)
ssdeep	6144:58VXLah6a5LFSEqoUFsci9KqRVGNnu+Z1ifHYOGTMMf:OVXmka5LHwFsb9tRVMpZ1iHEM
TLSH	T13674E02137E0C076D5AB91704A30DAA06DBF39626B7994CF37882A3E2E746C09F75357
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4505/5/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	41c3032922614200 (1 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Win32.RansomX-gen.26190.27462

Verdict:

Malicious activity

Analysis date:

2023-07-23 04:30:30 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/fdaa82fc-26e0-42e8-8f98-85ed8c6bff25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/429484/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.26190.27462.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64bcac52e179a8163b7d8bf7/reports/715b162b-aa87-4bca-b48a-02389e7060da/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d59e0c1e-ce27-4e48-8ed0-dee114f98207

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277846

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53/

Threat name:

Win32.Trojan.GenSHCode

Status:

Malicious

First seen:

2023-07-23 02:58:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cj5vigt3i3pfjenvmhx6zx5gdmpl7jsvvagrtyi5bie2bklth5jq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230723-e3m43adc62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

Unpacked files

SH256 hash:

fe2e6f04b777ad58b3aa60f3ae725613f850cd7f33c1b5cf412b3834289eb4af

MD5 hash:

00981eed9a174d47add5c077be3ce7ab

SHA1 hash:

ff8a981a094b4c5cea1be6671ede01e1f1e6c5fb

Detections:

redline

Link:

https://www.unpac.me/results/a2d17551-aff0-4c74-b4a5-672f071f1898/

Parent samples :

5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

SH256 hash:

72f33a98e88d0f17816c1ffdec17f74ed3b45582e7bfb9a7a97badde980a5583

MD5 hash:

c37db513789ef0b2e4cb7b5c613e2045

SHA1 hash:

fe22e822a3992e9e3fdb58d089b851a093c9a280

Link:

https://www.unpac.me/results/a2d17551-aff0-4c74-b4a5-672f071f1898/

SH256 hash:

95fd90ac54a23cc58162f72131d28c710e165286c3d42df4eec8a60a4cdc524b

MD5 hash:

741eb59c0a7d6e51ad6204088662709e

SHA1 hash:

d1270e8a99f43a1b1bcff9ee293472513c9db28e

Detections:

redline

Link:

https://www.unpac.me/results/a2d17551-aff0-4c74-b4a5-672f071f1898/

Parent samples :

SH256 hash:

d14a6bc260e69c17d5116aaf1550add0073a4530b12b74e5aff401cc7dae306d

MD5 hash:

d2f632d0f06158afdb609edc4cdce942

SHA1 hash:

adfa06207dc106a83b68bd958e5300874cc896cf

Link:

https://www.unpac.me/results/a2d17551-aff0-4c74-b4a5-672f071f1898/

SH256 hash:

127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53

MD5 hash:

237f002316e142ac4e7b9d31e8585c00

SHA1 hash:

35db03d22c00f45c1c88985c326118290cdc1e62

Link:

https://www.unpac.me/results/a2d17551-aff0-4c74-b4a5-672f071f1898/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/127b541a7b46/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/