MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 149b01482fe07f353e03b51b13cb957aed0cf8fdac8dac34e3cd1acb6ec44310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	149b01482fe07f353e03b51b13cb957aed0cf8fdac8dac34e3cd1acb6ec44310
SHA3-384 hash:	c148fa536dfa765a39b29c56aa4b323fe13f831041292b32aff7af5ea739e4ba92374eba77373f1d4ef410c9c5c85d82
SHA1 hash:	ef32fc7a012be2c360ddfec512fb6a21456731dc
MD5 hash:	d0c93d7133907f1f0a94c525bb9df16f
humanhash:	fifteen-one-high-apart
File name:	subscription Details pdf.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	517'632 bytes
First seen:	2022-12-30 20:40:18 UTC
Last seen:	2022-12-30 22:29:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a21d2eccfaa9a9a6d2521527583d5034 (12 x Smoke Loader, 11 x RedLineStealer, 1 x Amadey)
ssdeep	12288:5gOdOOnIzpgv9i++5uYS2M+wGPhL6oW6e9:5jO5S9i+vYS2OYUoVe9
Threatray	12'426 similar samples on MalwareBazaar
TLSH	T199B4F01235B0C473C8591D3588609BA5FABAB8219D66764B37842F3F2F303E17A7635E
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	6cd888ac8cac9c98 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
104.167.223.17:33454

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

subscription Details pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-12-30 20:41:23 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/b24d25ff-c7f1-4aa5-a584-63d79c3229fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.9283.28437.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/63af4ce0a70bef46551c429a/reports/c07fb2f7-c1dd-4ec6-8230-eab429620ee5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e81c92b3-1062-4024-bee0-d3b38edeb9f4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1143322

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/149b01482fe07f353e03b51b13cb957aed0cf8fdac8dac34e3cd1acb6ec44310/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-12-30 20:41:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=csnqcsbp4b7tkpqdwunrhs4vplwqz6h5vsg2ynhdzunmw3weimia._file

Verdict:

malicious

RedLineStealer

4c10f4d1da51cac1387dd193fb46ff33c5c867a4e20566a9c3a2acce0ac39d77

RedLineStealer

710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b

RedLineStealer

73d5eca1312813e6791661c78d6325ab1a6f7e5ddab4913f4fa84c66ddc55545

RedLineStealer

c1f0a0c570f05ded30dbc78c7bfb4228a5dd97f89582c10bb58ac7478e47030c

RedLineStealer

edace8cc8a3fe5a7dbb168e105354ff95a721c0fcc4df2062c50cf80574acc40

RedLineStealer

fe78f33d95685da99587ab8ae53ac39415d615bafe733a91585ba465123787f9

RedLineStealer

+ 12'416 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:bs discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221230-zgek1sbg7t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

104.167.223.17:33454

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fff73f73-8d51-44ec-afc0-9c786d4f26c2

Unpacked files

SH256 hash:

8bdfc752c6a216eea4dfc274e72bc69d5f12b4b67c381017afa18a81958c81e5

MD5 hash:

22774607ba1a73966e4ef3bab7a2fd86

SHA1 hash:

d68fcf264767739a5f7b0ade8312a5c6350a54b5

Link:

https://www.unpac.me/results/dc5d4971-6534-466d-afc7-f4e9c9ba4cdd/

SH256 hash:

034c877843f82921f0c23a03069efd6bb7ba83bacfd09f39a6f09f7feef196c2

MD5 hash:

4288f122120d83ad156599160c23f7a2

SHA1 hash:

b36ea80bfa0351034c919f43c495f0f02ed2f88b

Link:

https://www.unpac.me/results/dc5d4971-6534-466d-afc7-f4e9c9ba4cdd/

SH256 hash:

bdc49476b5d2ee18b9fe8ac77fed3e0979f0e248a26b24b66c3ebd863c5e3ec4

MD5 hash:

ebf0017a6e2cbad9f74de9aa10cfcb35

SHA1 hash:

8c70e6df0e2728c951dac25f6cb0146d065b71fe

Link:

https://www.unpac.me/results/dc5d4971-6534-466d-afc7-f4e9c9ba4cdd/

SH256 hash:

c124af9f24abc10ec74788f9aa7893cfdd3f1076a81b8da5f9633a1a64535c6e

MD5 hash:

a97f789362aecd13bf858332b26efac0

SHA1 hash:

8089b148a11d29e946d60dd5624d0af13dcbf622

Link:

https://www.unpac.me/results/dc5d4971-6534-466d-afc7-f4e9c9ba4cdd/

SH256 hash:

149b01482fe07f353e03b51b13cb957aed0cf8fdac8dac34e3cd1acb6ec44310

MD5 hash:

d0c93d7133907f1f0a94c525bb9df16f

SHA1 hash:

ef32fc7a012be2c360ddfec512fb6a21456731dc

Link:

https://www.unpac.me/results/dc5d4971-6534-466d-afc7-f4e9c9ba4cdd/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/149b01482fe0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/149b01482fe07f353e03b51b13cb957aed0cf8fdac8dac34e3cd1acb6ec44310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample