MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
SHA3-384 hash: 616a7c2b975f3dcda0f25e84a82a7c50510eb6f6a120933103fa3ad9f66b10da72c7c5100371ec25c7d462b274c3dda7
SHA1 hash: 7157e242a46f5ec48f7373618010ff27a976dcf6
MD5 hash: 5bde9fbcb6e289885a358f7bbe784748
humanhash: north-potato-comet-fifteen
File name:5bde9fbcb6e289885a358f7bbe784748.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:359'936 bytes
First seen:2023-02-18 13:07:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b23c6f110add61e2d6f38c3c2656d60 (3 x RedLineStealer, 2 x Smoke Loader, 1 x TeamBot)
ssdeep 6144:xoLlEQVqFyU/PrKCLKacxJKq81lvs94IP0:xo5EQaX/Pr5LUKq81lv2P
Threatray 5'961 similar samples on MalwareBazaar
TLSH T1C574B003AAE87C40D9274B7A9F2EC6E8761EF5606F49773612255E6F86F03B2C163740
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0b4b2b0307031602 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.17:4139

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c36bf6b8a4fe13c1102182e3d851b28f.exe
Verdict:
Malicious activity
Analysis date:
2023-02-18 13:00:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/fb2a0ca4-9917-4fca-ae43-440892a1f6c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368107/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71631/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware manuscrypt packed
Link:
https://www.filescan.io/uploads/63f0cdb442bf85850e3dc312/reports/501e5fd9-2df7-48f1-9da4-db90bfe324c0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea13b309-d0d2-47a7-ae64-e8b250ca9d3b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178636
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-18 12:24:23 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwmkirzdvfftcyyhs4aweip5724kfwht2ayjk34ambafsglg3ipq._file
Verdict:
malicious
Similar samples:
2ac1a1e1e32fe4e86af8aca3cbc99d60177e79f015638bd3317d17d76ebea86e
RedLineStealer
30fae0cfca494715f6252ffb6f20f822ebb250df7e6db46d3a565f3600a9788a
RedLineStealer
38d72bdf9398e538d775bb1601a47e77d5c3c4d0479d13c14f2627bd26d8490c
RedLineStealer
3a86c0311d4cd63f72e20bdad9163a7adc46b509a60da180f33593549b83df55
RedLineStealer
53872b2c7cf4b327d408b987a1c0c3dc0a4516e34483f2ff896755484c9093ac
RedLineStealer
7523701652e7ef0b765465f3fcffc807a1d87ee30040fb2215fe5b178248b9c6
RedLineStealer
93afdf95025f723ca841c251a9189d52d9b0a04f8ba27e9a99cdac45e280db9e
RedLineStealer
9c85f5482a1e67795fb5f8fbdb11d1fcd649999fd243eb802d69e54af547f76a
RedLineStealer
b84b20a523ff669075b2374e3329d304ffa42aa5ad60669359ff5517f0a77adf
RedLineStealer
da2681a7d23362d701d02379fe56948a2fdbe6eb373bfbeed29e0c2eba2411b6
RedLineStealer
+ 5'951 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ronam discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230218-qc7xbscc44/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.17:4139
Unpacked files
SH256 hash:
b7b0c6ae94fecce159df458a4c67e84ba8c8b1e39d3279428568a393d49e8aaa
MD5 hash:
b8fe1f464e35838e160672e994d58220
SHA1 hash:
b3bb88ccaa506e8969067e0c3afcc10d009ea4cd
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a93ed998-b517-4ebb-a55c-9d3f2748f8f3/
Parent samples :
5b6679b660f325eca852d70b0d99e5bfdd6826c9a777167d94798f7c90663291
d23218868354efc4107040db6aebf4c097a96353e0ab394730f0b23eaab554d2
e28d97ea51bd1358c206ef5eefc7ed2d7349bcf493e70bad015c0aeea276eef8
46aaab86e703a417e047127b4cea47ce052df52f2de4f91329db50b004333514
51ccb6a2257545298badc3114136520da6b91d5932c54b0cc5bb837558440e8c
59229c7b70c40875d2d4dc19076b4d19fc32e2d3645530c5f80929543cd2cecc
3ffa015992650bbf7816552c1a97cc737f10b931c13d9cda673d75d3d0bc4af2
b0cf8442952168f43931a315e48588ac0fb3eae7793f7c568dc1015d3307abb0
fa1894cae66e526e056ca8733144a079b1e49eccd72d1e1a71d395884c11b765
ffc503e35e7884be31693005500cbf89858bf9d8017e3b10ac2144d0692c7929
8a102a4db4038e413d863950c4904308382468c83fd1a6a8430b179d3c22f409
97626bf100427484a73158accec393e92f98a78ed326fc959f8c420b7368f9c2
456758011a20b4844a9d635fe22f96af4b9f41d0596f502535d6bdeb9d7ad959
b652cde92a34f384214d605514ce2977fcaa8d7a336bf7c605e78fdfc023b2f6
3f2c4e9d21bed230d6d35b9f3982d67d9d514bdaf89207b3161ceb425ace0a9d
3eca2d42bf74dfdcb63444f6d2efd4ada5c0621f5a9b877f981bb55b1fcf6a8e
239d8d737fb793b73074e1a1151d00785d914d681f15cb205abd99b04bebfe22
a66f5babbd0c32c187e73ad6d3c0b4c01a51ba73e19ad3b250b1c5f733b781da
a58d702acf3da7be2deaeffa4d2d58e4aa7959f5edcb81c2af77311bf8c8609e
801584f33f7518cd0c7520f94a2be9dae2cb899f9c5a20ae3c120bac75cf0ed6
9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
5cda278396be9ad779e31b37e00b9751e944127f4b6df8ac5ebdfd767da70a8e
ba9b8dd31763548a5fe839c1911b3a6ec913f10f76ab5d7843aa89a0b9413b84
2850a4cfaf2a7c6f1347e71f9466cc779ff3adcf54583d29769130954910a310
d3cb7ec0a3ad5abe44e87d36243bbe2c15e544f6a0c6d94f928897351e7fb9e6
6ff16975cf50ef941b98d30c53979d49a945546f909f45183f6fe3541dbd07c7
aead3211ec364534b370cdb6dfa3a209cbcf9bc996e380148c03eb44a6bb28f1
ac1f34b312ed3c907e60ab5998d571c5d7eb5320404c7b7d466a65a4656437f3
c2400ff0db9c8705af0225ae397a3c7048717a7857d7a929cc8d80e4668ebe25
f0de95ce126151d1ea32a246ca91789a0efaa766f4dea18bc294301f0bbd36e7
0d9f8f4fb079a2ee381ff6b64bd93426dbeb03f935781099e58fa6516d788552
b7815413451c983c73d263da603598bd47011bcd2cf7f0baffe9bf1231a3d3e7
b3c27f3d4e2517d9b7ba380187da4076ea7a498e9409fc2ca313427180f5c0fb
186ae3c3d19e037512a0c7e8f8036abe43a5a10158c0753996948a5acb6889dd
d51b529b848157008ae7495b156b6a47462e98d3b2e77354cb15768c63ef3ff7
2f410840009abee6d4a83cc6482cb7da5f186b38392bd04da20045c2d12bd85d
c61e47adb5dd3cd4914fb5a59be85e143adada6991b956ef33b5693f4f59c284
db3b63b74d18e26ece81dd88be494382026191d510cdef9ff2108e41009545dd
9ab621042d607cbd32de851e158f9069e38643adf4e1155d8f842e53b50bc9fb
1f19699a6cebc09348c0033e3027bfd92d20014b74df85f36622c65482629459
01a4d474bb873397b572bcb6babf556a2b00c866424acd92f9eb478b46e42112
485f925edd2e71f8a06be73c4cbcf0c4cd9f9e5cf6bf580ed9ce4939a3f7bf4a
6e2801f8f42db2a31e99ac5c7ebf2d693d78dd099f9ba3388e58fbd181c343ca
93afdf95025f723ca841c251a9189d52d9b0a04f8ba27e9a99cdac45e280db9e
9c85f5482a1e67795fb5f8fbdb11d1fcd649999fd243eb802d69e54af547f76a
30fae0cfca494715f6252ffb6f20f822ebb250df7e6db46d3a565f3600a9788a
2f5eb84fce28f5c72817232fcd4447480cc37797991de825b5c74cd1bb64a5f2
00a7d28a276609b852406decc4a1fd384d618bcf2a88d8b36732812f557d8751
ae18ef500de766c88a9ed7f1da89fed136a4e235918dfaae0e74ee5d158a8928
186b6114ae97b541695924f8b616331e53d7e48ec9e36acd067e8599423838d0
8e7f7bf4457e9fe9827c45e7976a7bdd3abe27df02e9a21ec25a7ea901ba665a
1b4fe3e40543d3f9837f5181ecb93f816982f46331a6136823c558bebaa99f63
931d72ff6bc6ddd93a40d71444a30ba7ea938b51092b8a74050ce89b630633de
d654c363b8f320c5fd2d544804afffe3ee33c20afc694c42887d5c7a36ea7ac4
1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
cfbe3d196180b4414a2041378aaa59b626f6d6acde5caef78176896f0636dee1
9116c9364f50a5e9a6217052af6ced5664490230edced716bfd7979fb855d7a5
f4565199231418a4e651250524064d521d249ea5fe006f66c29f4f765877b47c
2480422d1db35870be30ffd2245818b5ac1be51fba181faac08a9a3d7d76a6fc
7eafd8bc7dd24a15b1b93a62dff90ded9c704257fed9b7c73c42014153da2891
1c8131d96627850ef7705c3a9ad5b3c3888ef7330a785ad395cd8dd0b454992b
c11174490a7e628526c6318ea3051f5afc8e8cf7b5fafb8892dd9d935b464c4e
9d26635b8972f1515f97a96bafc908ded40a19b73c6a33151bfce91bc5b14c1e
29881cb13215ee9c2a06a3fb4b99e648075295817a9a8a5dcee3a07ce54589bd
14e611f77744c67113c3f5c209d2ade2a7606f81857e8296316c6b2da1bdd46d
97130fafe31570ab27bdc2f12ba3c61cfe7c618d12d49d6dcfa29fd318c1d848
3144bc97305faff4865049033947b668dc6e4e9ed898cecc8250e3292832bde5
9f4f3f22af197f4d90b1c5088048b3c3dcd06df27542a0cf4ecde1fd3ae99b7d
f5f2dbad54020400d35d3695fa6aa371a46a33cd611f4a34d937df318c241fc8
7b5f0d16c4cad1c899c849680616a959513287d598e6b25a4f8ec14b97326ea9
b79b58356ebbdd8536a88281842c1f6b62c7e81374519866e69069583d6226f8
0f81ae7e1e05d9ca053baa1335ab2749c591092a9fccd394f50263724f662c21
3c4db62895138733283911f7d7b8b26cc75672c72fbc99fe296542fbf3c18bac
023a6207ce76f58f7880f4a29f12a8022f4f770453cfe273ab784cd99fe741ab
ab10b7196b052edfc7b5f67c255964e4fb86d1027928723c4e1ca62adf8fe15c
0b9f86176ad741bb0f758d709e1c575edba2d7c5d0273db318c22f0eac38454e
4d02e2c75e0c1a93f6b2285a7964385cebae63fbd8e49f59095808de24faa09f
448f71facff90f355308916d8c05f76b11e0c95cbd3e7144562809d9a2c18cee
4f5f2a0d5fc97d3c4b2a6f6096387ee0ff7eff1974febe635e3dc0f09a2abb92
53ae05b08fee241dc3b6925fa631b50e81f3faa4ecdc9090dabb1b871e7f90dd
7ead88553a0e5cd16bf07cd5938ad5d4dd7ff68c9221091869bf97b888d2ac0f
b599efd2e66c673820cfd676d9d8095066961d6feb61c6d435144a0d9b226a71
SH256 hash:
a31c1b513ceb579e5282194136be60525eff4c58537cbeb986cce00248531b6b
MD5 hash:
6fba81051e3c0b01419eeedc45773817
SHA1 hash:
8e1df7285525adda41e25533c76a4f3719fb125b
Link:
https://www.unpac.me/results/a93ed998-b517-4ebb-a55c-9d3f2748f8f3/
SH256 hash:
360a081c4df96f009b73c843a522ff483eda25f0e21b1c69c273dba1a6c37bf1
MD5 hash:
73c7d025f3d48513da138a81f8ef982f
SHA1 hash:
3cbf02d565aa170b669830239999a964d1641690
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a93ed998-b517-4ebb-a55c-9d3f2748f8f3/
Parent samples :
d23218868354efc4107040db6aebf4c097a96353e0ab394730f0b23eaab554d2
e28d97ea51bd1358c206ef5eefc7ed2d7349bcf493e70bad015c0aeea276eef8
46aaab86e703a417e047127b4cea47ce052df52f2de4f91329db50b004333514
51ccb6a2257545298badc3114136520da6b91d5932c54b0cc5bb837558440e8c
fa1894cae66e526e056ca8733144a079b1e49eccd72d1e1a71d395884c11b765
ffc503e35e7884be31693005500cbf89858bf9d8017e3b10ac2144d0692c7929
b652cde92a34f384214d605514ce2977fcaa8d7a336bf7c605e78fdfc023b2f6
3eca2d42bf74dfdcb63444f6d2efd4ada5c0621f5a9b877f981bb55b1fcf6a8e
a58d702acf3da7be2deaeffa4d2d58e4aa7959f5edcb81c2af77311bf8c8609e
801584f33f7518cd0c7520f94a2be9dae2cb899f9c5a20ae3c120bac75cf0ed6
5cda278396be9ad779e31b37e00b9751e944127f4b6df8ac5ebdfd767da70a8e
ba9b8dd31763548a5fe839c1911b3a6ec913f10f76ab5d7843aa89a0b9413b84
aead3211ec364534b370cdb6dfa3a209cbcf9bc996e380148c03eb44a6bb28f1
c2400ff0db9c8705af0225ae397a3c7048717a7857d7a929cc8d80e4668ebe25
0d9f8f4fb079a2ee381ff6b64bd93426dbeb03f935781099e58fa6516d788552
b7815413451c983c73d263da603598bd47011bcd2cf7f0baffe9bf1231a3d3e7
db3b63b74d18e26ece81dd88be494382026191d510cdef9ff2108e41009545dd
01a4d474bb873397b572bcb6babf556a2b00c866424acd92f9eb478b46e42112
6e2801f8f42db2a31e99ac5c7ebf2d693d78dd099f9ba3388e58fbd181c343ca
30fae0cfca494715f6252ffb6f20f822ebb250df7e6db46d3a565f3600a9788a
ae18ef500de766c88a9ed7f1da89fed136a4e235918dfaae0e74ee5d158a8928
186b6114ae97b541695924f8b616331e53d7e48ec9e36acd067e8599423838d0
d654c363b8f320c5fd2d544804afffe3ee33c20afc694c42887d5c7a36ea7ac4
1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
f4565199231418a4e651250524064d521d249ea5fe006f66c29f4f765877b47c
7eafd8bc7dd24a15b1b93a62dff90ded9c704257fed9b7c73c42014153da2891
29881cb13215ee9c2a06a3fb4b99e648075295817a9a8a5dcee3a07ce54589bd
14e611f77744c67113c3f5c209d2ade2a7606f81857e8296316c6b2da1bdd46d
97130fafe31570ab27bdc2f12ba3c61cfe7c618d12d49d6dcfa29fd318c1d848
3144bc97305faff4865049033947b668dc6e4e9ed898cecc8250e3292832bde5
9f4f3f22af197f4d90b1c5088048b3c3dcd06df27542a0cf4ecde1fd3ae99b7d
7b5f0d16c4cad1c899c849680616a959513287d598e6b25a4f8ec14b97326ea9
0f81ae7e1e05d9ca053baa1335ab2749c591092a9fccd394f50263724f662c21
3c4db62895138733283911f7d7b8b26cc75672c72fbc99fe296542fbf3c18bac
023a6207ce76f58f7880f4a29f12a8022f4f770453cfe273ab784cd99fe741ab
f2e1e950e23f81a620ab045e4779c2c5834fddd4d210a3eebfb7f69b0aa23d1d
4f5f2a0d5fc97d3c4b2a6f6096387ee0ff7eff1974febe635e3dc0f09a2abb92
7ead88553a0e5cd16bf07cd5938ad5d4dd7ff68c9221091869bf97b888d2ac0f
6db5e32e091fdd7c90d23b0b7c1fe59ca40088af4f131aee697bd859f978101b
075e52e792e4579a29de5cae798a1ed3c09b1f1ecb8b776e8a873c2fa6a8b919
5df17f53387714d342d63a5946626f3e52be8438ee0701b44c42506f7d003367
SH256 hash:
1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
MD5 hash:
5bde9fbcb6e289885a358f7bbe784748
SHA1 hash:
7157e242a46f5ec48f7373618010ff27a976dcf6
Link:
https://www.unpac.me/results/a93ed998-b517-4ebb-a55c-9d3f2748f8f3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1598a44723a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532610/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368107/

Comments