MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a
SHA3-384 hash: 7d54e7a0678e9fd37dbc0b0eee6ac27a4f4adae391c53912b61fb1e4fe45da0cb6b2be9ec0552937b6568b4e24e1f5ae
SHA1 hash: a98164df15415cfb0a22b7d8382f04914e5fef56
MD5 hash: 5f48f3eceef12e98821d2a26b0e039ce
humanhash: kilo-sad-bacon-july
File name:5f48f3eceef12e98821d2a26b0e039ce
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'832'960 bytes
First seen:2022-10-06 10:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c642c0b422c0291be517cbe7f80512c6 (4 x RedLineStealer)
ssdeep 49152:UooLvKAZwwT3zu3Ykuiy/OzsSuRw4hX02JZxH:UooL0wT3dcmG2JTH
Threatray 8'036 similar samples on MalwareBazaar
TLSH T137855C79FB4751F1EA2392B1814FEB7F8B2479158421EEBBFF4ACA04F4335122919252
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317248/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.51202.727.21370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41512/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware pandora redline
Link:
https://www.filescan.io/uploads/633eacffd089a0c15dd57c3b/reports/0a36559b-2a67-4c44-a62a-bd70bf34fc63/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a3acaa61-b7e6-40ed-a277-94954f05b118
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1084826
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 17:07:02 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxdbx7yse2e7xsupmhemypdx2vfhgifhij7jwcmp5sbcgnczrbfa._file
Verdict:
malicious
Similar samples:
13a0b3e462a014b605489df82b082618b64d7292140bbfdbb7b58e683cb80b3b
RedLineStealer
169e01599ade6b92e0a47abbb8ad87b26b72c43ad7d6e9b9ea604ce59961d673
RedLineStealer
185162ce404a5fa9310340b9c39516ab09073c1460dfc1dd066541c1756563a4
RedLineStealer
28120e30e6493e67c89ef159d2d1b2866cc05ebc0be35758023feef924eb5d1b
RedLineStealer
2986955a86572ace49ad3773a3e1ddb742ade6a5d0b09e9f4597bba2477a1465
RedLineStealer
44c6ed2ddb5e2077c153de0a299dcbff82ba1d2a9f304c0e4fed47496ba82af7
RedLineStealer
5d243ded181eefcd0d051a13f2ba7845223b576d6c8f93777552cf252e28bc90
RedLineStealer
6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
RedLineStealer
ddd8aa44e44b27ae1604042ccd9564ab5bc44d72b680293856057995f154cbc9
RedLineStealer
+ 8'026 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@moriwws botnet:h infostealer spyware
Link:
https://tria.ge/reports/221006-mfylaahcgk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
litrazalilibe.xyz:81
185.186.142.127:17355
185.106.92.139:16578
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b75a6c2-88ee-4e2e-ae77-e2a3f6532930
Unpacked files
SH256 hash:
15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a
MD5 hash:
5f48f3eceef12e98821d2a26b0e039ce
SHA1 hash:
a98164df15415cfb0a22b7d8382f04914e5fef56
Link:
https://www.unpac.me/results/f19a99c5-ef51-42ff-9605-a1a15423bdc6/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15c61bff1226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/317248/
  
URLhaus
https://urlhaus.abuse.ch/url/2352865/

Comments


Avatar
zbet commented on 2022-10-06 10:24:53 UTC

url : hxxp://5.161.104.85/sg.exe