MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47
SHA3-384 hash: f1770f71cf7f6967706acd10b43826ccfbf5c28ceb912fcc931c1ae41e78ec0e410439c522bee9ffb3999f2cfb99c217
SHA1 hash: 7717c6bde031fc9d5862639041e5b895fc5b51d1
MD5 hash: 798af35d10ee5eeaa15918f085b54807
humanhash: mockingbird-april-october-six
File name:798af35d10ee5eeaa15918f085b54807.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:408'064 bytes
First seen:2022-12-25 08:20:10 UTC
Last seen:2022-12-25 09:30:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e7c1082b38a4734d89e1f235c71c850 (8 x RedLineStealer)
ssdeep 6144:kS4xWrKdFGbK4CRAwTAtBVfjmAONhDi8eDsUkHb/bGPK:kS4xWrKdFGbK4UTnbhD2sULPK
Threatray 1'897 similar samples on MalwareBazaar
TLSH T12A94373060B0F0F5D87220F09AA75A64986CE5604F7544EB77940E6A8EE1FF3ABF0765
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
79.137.202.18:45218

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
798af35d10ee5eeaa15918f085b54807.exe
Verdict:
Malicious activity
Analysis date:
2022-12-25 08:24:13 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0bc676ad-0556-484d-82e0-40383f5a0d45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64509920.16476.3801.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63a807f0629a35af1ab3dece/reports/aaf6f9be-b567-4821-b05c-789416e84c47/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8632a0ea-e65f-4a67-924f-20cf996713a3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140747
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 04:00:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 40 (47.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=co4kiipxwa64j7y2wwstpxasboe7dqo2vs53ez4kwmr2t5nfnrdq._file
Verdict:
malicious
Similar samples:
01320b475214dbdfa7782958986b96dfadedbf5d27c708ab3616d3cdf1be9b34
RedLineStealer
11e6cd39dabb4482b7e95adb92336fa17fc46df16b72ec72ef922f79857d752e
RedLineStealer
42c07c82e3328b7d7a4e9804ba3d558a64c0e8a2ce018e9a5f7155a9792d5376
RedLineStealer
67d787249ae186a7000e4db614af862c22db210fa263d2bdac3dcc7b06db8665
RedLineStealer
728d0c12a4883b351dab40bfa2881a0dc967f9ff598384050da6c43d0d9bb476
RedLineStealer
7d1544a67d1dc8bd3eb2b637cd0c079290879ee3ce3aac8d50005f0ed6644d24
RedLineStealer
7f11a927ac9742f5b53973e5a198044f52c11af540c028ba81bf1b93ecdff4f0
RedLineStealer
8e2e0590b0418adf88d487f37a49107538e7e2d243f165845852c3f7ece6a337
RedLineStealer
99b7396773e11d0a1d44f674310025344f2d8c9d2813d33e9bd7dd35ac5f2360
RedLineStealer
9a48ec1ff7995f724b479d97b0fd21fc0ee9c6c1598a39192ec677b648087602
RedLineStealer
+ 1'887 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:11 infostealer spyware
Link:
https://tria.ge/reports/221225-j8z32aed8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
79.137.202.18:45218
Unpacked files
SH256 hash:
afd50f079bd873c5f389bf1a48f618ac97debc8f3e1856b9da204ea4f092af1a
MD5 hash:
55b837a7696044eda89bf237b37f37ce
SHA1 hash:
1e6c862f373fb90ee143bd68e7aca8079f1a7f24
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/252d2dbf-135d-409c-9d9b-1b3758547a83/
Parent samples :
f863b2eaafe78bd61faf02eda91f00fafe397b7accd0817f03ce68a355d625f4
c06c0fdae71a40e7b8a804d29cab262bc0802db87a9d2d6db4b193d405a0d020
18b946d10fd3e8d8508fd47749aef1df080e2804b3457f2f4589da13065eaccf
1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
99b7396773e11d0a1d44f674310025344f2d8c9d2813d33e9bd7dd35ac5f2360
9a48ec1ff7995f724b479d97b0fd21fc0ee9c6c1598a39192ec677b648087602
13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47
7f11a927ac9742f5b53973e5a198044f52c11af540c028ba81bf1b93ecdff4f0
728d0c12a4883b351dab40bfa2881a0dc967f9ff598384050da6c43d0d9bb476
8e2e0590b0418adf88d487f37a49107538e7e2d243f165845852c3f7ece6a337
3ca4879853a8f13a89473cb07e7ae77ab830abbf0ea5e09b3f525c5810b153b9
321b7072a0ea33c36933b98b6523eaf4dead69a8e90dc032f8a4b10cfb835b1e
505509de0eccbd99559118cc90f42f5618c68827d963394afdef810c7fc3b2f1
f80b159cd3d099a3e40ff671e2544df562639dd0cda61709f9e367288140e414
SH256 hash:
13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47
MD5 hash:
798af35d10ee5eeaa15918f085b54807
SHA1 hash:
7717c6bde031fc9d5862639041e5b895fc5b51d1
Link:
https://www.unpac.me/results/252d2dbf-135d-409c-9d9b-1b3758547a83/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13b8a421f7b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2485197/
  
Delivery method
Distributed via web download

Comments