MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15b6fbf0b1b094118df330e048bf4c4af3cb1d75e3b2707a94ea6974fe88b10c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	15b6fbf0b1b094118df330e048bf4c4af3cb1d75e3b2707a94ea6974fe88b10c
SHA3-384 hash:	a96c29a9aba5486393d4c4f02a5c3be63c7a1913b580a9e4fdf83e288b7c61c4904c6e72fec214d74c6440150ce222cb
SHA1 hash:	aec8e719ac3ddac96b7b3efd1a8fa1193ef49961
MD5 hash:	1e4516d19b827dad2ad1b74d5136ec7e
humanhash:	connecticut-hotel-asparagus-oscar
File name:	eySNvfyS1M33.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'481'168 bytes
First seen:	2022-06-25 12:25:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7b160b0b666ad3eb59d3c49410287af6 (1 x AveMariaRAT, 1 x RedLineStealer)
ssdeep	24576:vpdx8r47RuRJqWpeXJvL4FVoRnoXbA6OVnNjJf5Jf11Gz7bYIDB0C/g0uso88GKp:RduU7srpeW3vXxUJfbnMfYIDGsg0us2p
TLSH	T16E651246F23DC86EE44341B16873F9E45924E82325F52A2636C4335F1A76FB48E172EB
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ead6b2b4b6aaf0e8 (1 x RedLineStealer)
Reporter	milannshrestga
Tags:	exe Redline RedLineStealer signed

Code Signing Certificate

Organisation:	*.servicestack.net
Issuer:	Amazon
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-04-11T00:00:00Z
Valid to:	2023-05-10T23:59:59Z
Serial number:	0a6a31063288c2c23580b9f9f6e50184
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	e171169f9a927866eb128c8aa9e986889be067e19b5bc637fcf90a8af54179f1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

milannshrestga

Discord CDN

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.132.1.85:28000	https://threatfox.abuse.ch/ioc/726360/

Intelligence

File Origin

# of uploads :

# of downloads :

471

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

eySNvfyS1M33.exe

Verdict:

Malicious activity

Analysis date:

2022-06-25 12:25:12 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e25ca426-b30b-4f09-9597-3d8b3f93e3f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/283242/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Searching for the window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62b6fedae88d6da4ffc5ab6c/reports/22d66c7a-611d-47ae-8d28-7854b5d45b54/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb58be9d-0814-49a2-84be-8f3f280bc88e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1019743

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15b6fbf0b1b094118df330e048bf4c4af3cb1d75e3b2707a94ea6974fe88b10c/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-06-25 12:26:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cw3px4frwckbddptgdqerp2mjlz4whlv4ozha6uu5juxj7uiwega._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:money infostealer spyware

Link:

https://tria.ge/reports/220625-pl6j7aead5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.132.1.85:28000

Unpacked files

SH256 hash:

77b8136403699c4d8e901583f3085e337abb1025c72a1a4d57aa51b5fbd592d5

MD5 hash:

7e8d09759f126096b895a6488784c91a

SHA1 hash:

27c971eb952cbf1fe0350901ccb21e4c732216ea

Link:

https://www.unpac.me/results/668b69d7-3317-4c6b-8c50-0bb8c1731ec2/

SH256 hash:

1630d551ec0db093c9ed674f7a08ec39bc902734bd9a24ac632268b23fd1953e

MD5 hash:

53e740a37ff5d79c489e2cdf08f90e93

SHA1 hash:

be10734258fcec522b47ea209f9925c047dc56fb

Link:

https://www.unpac.me/results/668b69d7-3317-4c6b-8c50-0bb8c1731ec2/

SH256 hash:

15b6fbf0b1b094118df330e048bf4c4af3cb1d75e3b2707a94ea6974fe88b10c

MD5 hash:

1e4516d19b827dad2ad1b74d5136ec7e

SHA1 hash:

aec8e719ac3ddac96b7b3efd1a8fa1193ef49961

Link:

https://www.unpac.me/results/668b69d7-3317-4c6b-8c50-0bb8c1731ec2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/15b6fbf0b1b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15b6fbf0b1b094118df330e048bf4c4af3cb1d75e3b2707a94ea6974fe88b10c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/e25ca426-b30b-4f09-9597-3d8b3f93e3f6

Cape

https://www.capesandbox.com/analysis/283242/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample