MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 149cfe6af20dd3b333e87fe3b9d764ca9c62d2ab3846845f2a210b8c3695eeba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	149cfe6af20dd3b333e87fe3b9d764ca9c62d2ab3846845f2a210b8c3695eeba
SHA3-384 hash:	55ab049a71a2064676d2c7d8a27e94a10289c97294fc8ae0c0531dd28be2fb46adaec82d2a84d4c5ee37c5f9873c996e
SHA1 hash:	e4b79889cfbc590d416feaf5d67c894479ba3e26
MD5 hash:	dbb5076bc4604f29fce02c87ce8eec2d
humanhash:	march-may-carpet-lithium
File name:	dbb5076bc4604f29fce02c87ce8eec2d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	148'792 bytes
First seen:	2021-04-20 11:50:08 UTC
Last seen:	2021-04-20 13:01:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	04b14c74d128b600565b7582f06e9a4f (2 x RedLineStealer)
ssdeep	768:/Ia7FoXriv7zCWbTOJxgbidM/9s0vb1LAiz9GcSfdvBfJpQ2bZ+8tYosjKAvpXSE:/L7FoXriv7zHF9tbx6WquSOIm
Threatray	250 similar samples on MalwareBazaar
TLSH	4AE328E3FAD8944AF4E76DF5A655B2B14D308D3020C1D82A87482E52EA317CBC4F567B
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

2

# of downloads :

90

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

dbb5076bc4604f29fce02c87ce8eec2d.exe

Verdict:

Malicious activity

Analysis date:

2021-04-20 12:11:59 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ab3d8412-f335-4fe7-b3ec-72c8c87c64f8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/139579/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36720198.14001.24410.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Creating a file in the %temp% directory

Deleting a recently created file

Sending a UDP request

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/149cfe6af20dd3b333e87fe3b9d764ca9c62d2ab3846845f2a210b8c3695eeba/

Gathering data

Verdict:

malicious

Similar samples:

2d78b6d8f31c978e5a32bc6f11723fa28edac6d89cb299231942d948295e97cb

301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d

76bd998eab2f0784cad46e3af9dcd0e6547fb86824f29b93b090f82cd218dd3d

76db76f47f915b47fa151b2b9df17c263b6fa449948cb18fc111be6d3051c6a9

8cfbe99de13e5eec5ef9e5ce5b6f66412b65be60db48515ac9cb26a6aac4291a

92f38b474f16faa935aa1976979c81fbc9c296e584d86fd8b9c7c8751c1a968f

98c61b84f915ff63f9d5677d1ee53e1fb8aff4567eda30a374321424875dd913

b807c97249572d3c7923c770315ab7a7221069023f04f526291ff70f2b482399

e578c441df91736e8ccad4ee9a3f94a628a281e62e4f9c8dbb0f1f615831b557

+ 240 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:qwer discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210420-epwrrgtdb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

135.181.170.169:50845

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CobaltStrike

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/149cfe6af20dd3b333e87fe3b9d764ca9c62d2ab3846845f2a210b8c3695eeba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/139579/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample