MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311
SHA3-384 hash: 55905d796f65709f66f47b8998b53a02de4d74697ce1714097cd6695ac4830f6258080fb881dab70a7bccec19cbe8a65
SHA1 hash: 328eb280dcd012c71af5974b60aad17f0a216b49
MD5 hash: 92e2e1a5d3076e1d1b29522c908b4e78
humanhash: hydrogen-georgia-eight-dakota
File name:92e2e1a5d3076e1d1b29522c908b4e78.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:391'168 bytes
First seen:2021-06-03 10:01:39 UTC
Last seen:2021-06-03 10:57:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54bdb0f44e9d5628a234fe66c31a1617 (7 x RedLineStealer, 6 x RaccoonStealer, 4 x Stop)
ssdeep 6144:ZC/OImoWq1joBKDwMjslPknAwxZ8QEDuH9A60n6eHYES6uwvjla:ZC/fmt2joBBMj7jU6H9j0n6e/rI
Threatray 1'627 similar samples on MalwareBazaar
TLSH 6C84AE10A7B0E034F5F312F45ABA92B9A53D79E17B2450CB62D62BDA1674EE0EC31317
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92e2e1a5d3076e1d1b29522c908b4e78.exe
Verdict:
No threats detected
Analysis date:
2021-06-03 10:08:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4d53322-6ced-4775-a6c5-8527dc525fd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164356/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/796578
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 01:20:24 UTC
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7
RedLineStealer
37a8c9dbb2bd8c64a1fe0e1d72e812db8e54411e2a97598ead5555fd0b1127c7
RedLineStealer
43a38e0f15c22a94dec67acce84a2cbed685b8c58014ee4a432dad8f9e550a7f
RedLineStealer
524c53b84d8d7d5434d82e266cdf1fce9665558ca8a9ced8e7404b12e0604a24
RedLineStealer
82b71a1fc1c575129b572ee2ec5f20e7008e373400b8f0ada298e073fe3d5112
RedLineStealer
8e96166564978a1f84bfa3f352c7f49cbe2920a53375527143b53ac1455c9c82
RedLineStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
RedLineStealer
d460839a01093007c634bbca24ac143244b9f6d2b4943ea9aa292600884836ce
RedLineStealer
d8ed5b288ac2b5f908d544a8837d20a5c30464e1f0d980c9c2b974533c9d1e35
RedLineStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RedLineStealer
+ 1'617 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210603-6rl3mlfekn/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
49.12.42.196:12598
Unpacked files
SH256 hash:
a526722c6099065dbaf2f4d07af7e6af1659ad914fab655a30ed5ff32b34d422
MD5 hash:
96659e1fa9ad47a840e475a3c1de6104
SHA1 hash:
e6f99b504d933dc11254e8b64b530110ba3b0f47
Link:
https://www.unpac.me/results/7f81587d-4d9f-44e5-8f9a-6b3180c9eb69/
SH256 hash:
b128d33e55cc7119ef8827d59d707b277d2cd9592df49f8c972bc56d47e2fa70
MD5 hash:
9ec8b96a1a068a1ec4c3463dabbd108e
SHA1 hash:
ad39cfabdb522c52838e5d142d4f0c74655fe981
Link:
https://www.unpac.me/results/7f81587d-4d9f-44e5-8f9a-6b3180c9eb69/
SH256 hash:
c18694f035b34ecbbadaf767076a70cff45bb39caf794a827a6e5d652c320e52
MD5 hash:
d237daf497c4bbc01c1e14514b4a908d
SHA1 hash:
50429b1b0e8e7180f1dcde2bff6821897ace3825
Link:
https://www.unpac.me/results/7f81587d-4d9f-44e5-8f9a-6b3180c9eb69/
SH256 hash:
163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311
MD5 hash:
92e2e1a5d3076e1d1b29522c908b4e78
SHA1 hash:
328eb280dcd012c71af5974b60aad17f0a216b49
Link:
https://www.unpac.me/results/7f81587d-4d9f-44e5-8f9a-6b3180c9eb69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1300624/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164356/

Comments