MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045
SHA3-384 hash: fff74478e016e4eaf56ee5c9b92da15eb88c790309a67a5a53687fd3c512fa9bb61c88bc483020b9d21c89ae436652c0
SHA1 hash: 0a03ce5a9a860b4c25674f26b88dfb30a928a7ab
MD5 hash: bad372aaa8336a9d5bdcceb0531c7444
humanhash: oklahoma-yankee-north-cola
File name:bad372aaa8336a9d5bdcceb0531c7444.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:440'832 bytes
First seen:2022-05-17 09:26:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 501b246be07388174c9f9a65fef86aa0 (3 x RedLineStealer, 1 x RemcosRAT)
ssdeep 6144:wJSGGD77F7GE6nTsFH7YGZ6tftgYzHAdcaDvmXYaiga3wVf:w4GGDHFxOIh6d7AdCY/
Threatray 6'173 similar samples on MalwareBazaar
TLSH T1C194F111BFD1CC75E0921D3448A4DB62477BB8325930958BF7909BAE1EF33909AB6327
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.75:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.75:80 https://threatfox.abuse.ch/ioc/571411/

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
bad372aaa8336a9d5bdcceb0531c7444.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 09:42:41 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/13780aeb-d233-4a56-b9a5-1827c432c04d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271463/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18251/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed tofsee
Link:
https://www.filescan.io/uploads/62836a3bbc516cf66c2a2fbb/reports/7973604b-ee23-474c-96dc-1c4d214c0ff5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/444b03ff-06ed-43d3-98e1-4932da7303b5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995672
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 09:27:08 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuwfnshd4y7d632nt4gvxvrt6kubnwct2cmzs6yntt2viroi2bcq._file
Verdict:
malicious
Similar samples:
3227d26fb115c2c55d71705eb71d5e4704e6d63bfbac6a4d85614d04bbc8f3a2
RedLineStealer
4bdc48e114978c475a2497736efb4fa1afd76839ab21e19e3138ee47af7106f3
RedLineStealer
6ccc8edcce52e621484208387d0e71da165f1578f0db95b51b8b31fb8c19cc05
RedLineStealer
dde990b668b346c6aa6fc6775c1297f00acefe6118402726cc40be11600256f3
RedLineStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
RedLineStealer
f492b2bf8db70068e31654af82901016dbc2190f6d3e3a88618289ffd9026722
RedLineStealer
+ 6'163 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220517-leq95saaa4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
185.215.113.75:80
Unpacked files
SH256 hash:
765d27525d3d42784328373cb48791a1668b0d65016dc73757ac1db29b547f33
MD5 hash:
e1453606c48c4f9759cdc8aa84b27195
SHA1 hash:
939eab0d85d56f8692f18320ccd82ca18c6b8ed8
Link:
https://www.unpac.me/results/8a83d6ae-1c02-40d7-9abe-4efc261a137d/
SH256 hash:
a3e28cdd2af4788100d2efdd92e21bb308f501760bce15f8f1ce9983babea48b
MD5 hash:
c8f6993e38999ee923baa26697890496
SHA1 hash:
71f14876156c5d68cd51909976d49777a5453060
Link:
https://www.unpac.me/results/8a83d6ae-1c02-40d7-9abe-4efc261a137d/
SH256 hash:
044826134b808e3d913e4093be30b7333137d82e19ed53c7e871af8edc475940
MD5 hash:
38849f07e6daa7fa4b9b2bceb38acdfe
SHA1 hash:
576bb82572453a3fac322507e00d8302271f1998
Link:
https://www.unpac.me/results/8a83d6ae-1c02-40d7-9abe-4efc261a137d/
SH256 hash:
152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045
MD5 hash:
bad372aaa8336a9d5bdcceb0531c7444
SHA1 hash:
0a03ce5a9a860b4c25674f26b88dfb30a928a7ab
Link:
https://www.unpac.me/results/8a83d6ae-1c02-40d7-9abe-4efc261a137d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/152c56c8e3e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 152c56c8e3e63e3f6f4d9f0d5bd633f2a816d853d099997b0d9cf55445c8d045

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2197415/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/271463/

Comments