MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b
SHA3-384 hash: 653c8a32f0a6bf2d97052c6c83b2dccd8a3ca1e6ffde703f1aa7b52ec4e4b169c3ae58422492300956c87da3c7e108ca
SHA1 hash: 1f2e087fcb3c93319a235fe789666e91bd152659
MD5 hash: 9943acad094cb393873360bffbb140bf
humanhash: monkey-pasta-montana-single
File name:Adobe Photoshop.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:355'258 bytes
First seen:2023-01-24 00:33:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:6Q6qfKGjg5QaL0KFAiGOEiiGTW4KXeatGbniuJlW7fQPGNkd9G/rp:6Q6qflGPL0KFfQTtGOuJlW74p9G
Threatray 5'001 similar samples on MalwareBazaar
TLSH T19374ECF66594C4A9E6B13D34B4AEB33C13B09D2BACC69D0D9488FFD8168A17DCCE2145
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4628dcd4cccc3384 (1 x RedLineStealer)
Reporter Chainskilabs
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Adobe Photoshop.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 00:32:59 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c13401de-da1a-4fa2-8e04-94f3a27bea4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356177/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
assembly obfuscated overlay packed
Link:
https://www.filescan.io/uploads/63cf277b2d4f6d560e228745/reports/0d6e4f2e-5d9c-4204-acf5-5e8f6925d6ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe8313fd-58a7-4dc4-a9ee-7a8564a98277
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157555
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cywlum27otzpxxietlud43iwip4ofubv4npzkrgwslcat3eqfanq._file
Verdict:
malicious
Similar samples:
0eb0369770195b57593f8d1f739637f3dd4803491cf243cf6c9f426351a6c88d
RedLineStealer
186bbf590210d8fd02e981a002c05ab018aaec5ecd9b6ba4a37b16ba2f47b61e
RedLineStealer
387193c9b971c03a0f3d0c709c4316367759dc2013ed22ef7f47de735a6a07cc
RedLineStealer
73d2a3e816c731410ee8b4b6cb0fd06bfd8dd8463caa9924f717da8bac0d34f0
RedLineStealer
b63350aad8b78b989c052c8bdae2ea691108e8e15f4b9b6c864ad86b1c300e36
RedLineStealer
+ 4'991 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/230124-awr28agb29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
RedLine
Malware Config
C2 Extraction:
65.109.139.121:28859
Unpacked files
SH256 hash:
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36
MD5 hash:
43c14a07b0a83cb0ade9f7da7b0ca394
SHA1 hash:
79d457fc5c171c3677c50d19e7df3baf5f1311a8
Link:
https://www.unpac.me/results/66aa0bbc-d28d-4380-8d1a-3aaf1cefa054/
SH256 hash:
a7181c591ec2b27891181d8d2211a33a88162880e8b25992f3ab73a08339a99e
MD5 hash:
e3b4681a19e40d692fe4b18df47ebb45
SHA1 hash:
790b471fa30a27df9c3e73896da589c0a0e5cc6b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/66aa0bbc-d28d-4380-8d1a-3aaf1cefa054/
Parent samples :
0eb0369770195b57593f8d1f739637f3dd4803491cf243cf6c9f426351a6c88d
162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b
SH256 hash:
162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b
MD5 hash:
9943acad094cb393873360bffbb140bf
SHA1 hash:
1f2e087fcb3c93319a235fe789666e91bd152659
Link:
https://www.unpac.me/results/66aa0bbc-d28d-4380-8d1a-3aaf1cefa054/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/162cba335f74f2fbdd049ae83e6d1643f8e2d035e35f9544d692c409ec90281b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/c13401de-da1a-4fa2-8e04-94f3a27bea4e
Cape
Cape
https://www.capesandbox.com/analysis/356177/

Comments