MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 16
| SHA256 hash: | 187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421 |
|---|---|
| SHA3-384 hash: | cdc7ab9190c7b83288022721d55616662e098409c3902ea67b37229523658ecac44944f73c0629b145f3a231c3b23aaf |
| SHA1 hash: | c196ca36073ad9439c4dd76c8089ed0dfa95fa6d |
| MD5 hash: | 1730aa5475a43d8f889faf7208bbabc5 |
| humanhash: | berlin-mars-uniform-mobile |
| File name: | file |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 322'720 bytes |
| First seen: | 2023-06-14 05:29:15 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5b43169544844188711b217df61eb2d5 (11 x RedLineStealer) |
| ssdeep | 6144:/OgXRtRV25aqTLI5gWWIoX3VWXPzRUITun:PRXA5BTLyPzRUI |
| Threatray | 50 similar samples on MalwareBazaar |
| TLSH | T1DB646D90991CD761E2838476E8774223A60CEC367A54D3EF2F8A957CB6769D1CC18EC3 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  andretavare5 |
| Tags: | exe RedLineStealer |
andretavare5
Sample downloaded from https://vk.com/doc228185173_661540967?hash=1W4pH8iQPiuYN4DMoOaEngP9ZOWaymOEHcedNf7mqHL&dl=lO4NIQZNTUMKM6cP6zFPGZlchtS4ddlVgyW8niosdvo&api=1&no_preview=1#L1Intelligence
File Origin
# of uploads :
1
# of downloads :
280
Origin country :
USVendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-14 05:31:56 UTC
Tags:
rat redline
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
greyware overlay packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.CrypterX
Status:
Malicious
First seen:
2023-06-14 05:30:04 UTC
File Type:
PE (Exe)
AV detection:
16 of 37 (43.24%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 40 additional samples on MalwareBazaar
Result
Malware family:
redline
Score:
10/10
Tags:
family:redline botnet:lux3 discovery infostealer spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
176.123.9.142:14845
Unpacked files
SH256 hash:
318fb81812de16e80a2cfc90895004cb03530e49d62d360915661fcacc390da9
MD5 hash:
c663260681134d0f6811806093ec7f8c
SHA1 hash:
9643578b145e79481e35411ee4eb3a5baf30f8d6
SH256 hash:
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
MD5 hash:
936cb3023cd500e07e9ad5dda9996c3f
SHA1 hash:
5772bd98e8da65cb1339e45074b0a6eaf07219a6
Detections:
redline
Parent samples :
d8244ef0cb7ee70181f80484cff739b6f1458a2e9f2836ad00f445c3b863ba25
c4d252efb23f087a2c2efdb8bc64b97a9976c0f85995a50e18791f4538fac454
4a9c93e088da7f15b571b3595624ae59f112d3f532c8265178d4cc71f7ddd8b6
2d873fb5e5df1ecafccb3eeaa6dc1835676d7f43938ff37a623285a086d6208d
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
3c979ae1af88397dc5be34fea28050d85cd283898d71e52c8ad1db05c407458b
b6f77ab64fad140fa89c1ce71cff87397de1e28bfa747690ddb5b28a7e46f461
12e2b32428e957fdb6bc42d0e99a84a2a4e9dde411b356a0ff45bf6b66dd9d33
705dae41f74ff7fa9f5d4474d3474422d69e20bdebb9c36c020978de8ce48368
625423357c26d7445624d49b25dd0debe94b586f08cb2afb746d1498207477a5
67b9b74f647846d67ef5be1e4aba44e74cc62e9e401ca9f8e5bb695daa15e611
31b8115712aa50566e40a5246b9415adb02bb49679ddee79e427869c607838cb
277a999bab7bdb1a609efaf82a6c33a871c8c5334cec9c48241878d060540136
3a054bcc44b57c0cc62512768e7cfe21159d0530d775ae7d04c5b4eeea17c117
b7cb338abb490b1cc110d044049d5b5402bdaf411989d84bd739b7fd6974571f
824802b8de1d5007ebfd0449d1131ef31aec0b5f84fc39fe721fecb9b116007f
d1e74b5540f6ee93076ebff16db8593decd2364f4a4465d4ef7f4087f7c8119c
0017cc9e58298216af63de0f6bbb0a4a369d4b96a5dc52f6f25d47867a1ca346
665a12c39806edc87811291d7c054ccd07ada0f7da775cf90b6473b2a4457586
b106631de5708f0c7db74edc5956c0b438759a051a4624664124b76ee2f29356
fc412bb40a7d2ca18ec93170fb61b7e8db762db7415592f19bc367402f6d550e
73482d57d8d95b8f24345ab5a962a845f0b05f455ce4037a716df4ae2ff275c0
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
c4d252efb23f087a2c2efdb8bc64b97a9976c0f85995a50e18791f4538fac454
4a9c93e088da7f15b571b3595624ae59f112d3f532c8265178d4cc71f7ddd8b6
2d873fb5e5df1ecafccb3eeaa6dc1835676d7f43938ff37a623285a086d6208d
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
3c979ae1af88397dc5be34fea28050d85cd283898d71e52c8ad1db05c407458b
b6f77ab64fad140fa89c1ce71cff87397de1e28bfa747690ddb5b28a7e46f461
12e2b32428e957fdb6bc42d0e99a84a2a4e9dde411b356a0ff45bf6b66dd9d33
705dae41f74ff7fa9f5d4474d3474422d69e20bdebb9c36c020978de8ce48368
625423357c26d7445624d49b25dd0debe94b586f08cb2afb746d1498207477a5
67b9b74f647846d67ef5be1e4aba44e74cc62e9e401ca9f8e5bb695daa15e611
31b8115712aa50566e40a5246b9415adb02bb49679ddee79e427869c607838cb
277a999bab7bdb1a609efaf82a6c33a871c8c5334cec9c48241878d060540136
3a054bcc44b57c0cc62512768e7cfe21159d0530d775ae7d04c5b4eeea17c117
b7cb338abb490b1cc110d044049d5b5402bdaf411989d84bd739b7fd6974571f
824802b8de1d5007ebfd0449d1131ef31aec0b5f84fc39fe721fecb9b116007f
d1e74b5540f6ee93076ebff16db8593decd2364f4a4465d4ef7f4087f7c8119c
0017cc9e58298216af63de0f6bbb0a4a369d4b96a5dc52f6f25d47867a1ca346
665a12c39806edc87811291d7c054ccd07ada0f7da775cf90b6473b2a4457586
b106631de5708f0c7db74edc5956c0b438759a051a4624664124b76ee2f29356
fc412bb40a7d2ca18ec93170fb61b7e8db762db7415592f19bc367402f6d550e
73482d57d8d95b8f24345ab5a962a845f0b05f455ce4037a716df4ae2ff275c0
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
SH256 hash:
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
MD5 hash:
1730aa5475a43d8f889faf7208bbabc5
SHA1 hash:
c196ca36073ad9439c4dd76c8089ed0dfa95fa6d
Malware family:
RedLine.E
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_ConfuserEx |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ConfuserEx Mod |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | pe_imphash |
|---|
| Rule name: | PE_Potentially_Signed_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | redline_stealer_1 |
|---|---|
| Author: | Nikolaos 'n0t' Totosis |
| Description: | RedLine Stealer Payload |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Dropped by
PrivateLoader
Delivery method
Distributed via drive-by
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.