MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494
SHA3-384 hash:	163926800d0b2d6a118f5e29a9137c36c990a2461c2de5d7b417dc3ddc3e5d1bf99b508107eb2426a788db602817a814
SHA1 hash:	41d03bddc1530e25c7e8dceed0f6300d18ba1aee
MD5 hash:	7b19de9645f02b96f066a132497be901
humanhash:	salami-mango-shade-mango
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'198'080 bytes
First seen:	2023-10-20 10:55:53 UTC
Last seen:	2023-10-21 12:33:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d7ba208feadbc5004adbbe24711c2488 (6 x RedLineStealer, 5 x Amadey, 1 x Backdoor.TeamViewer)
ssdeep	12288:f8ZxOe8/OvUJYRqZPvxrSFmLUwVcufExE+o8Si9q/b2eus3REEIESX32PoyxC4IK:fr/OvUJYRqZPvxrGaVlfExhxyzaTTvG
Threatray	1'641 similar samples on MalwareBazaar
TLSH	T1B5457D3038D1403AEEF713F65EADBD39567CD06003ED98DB35E896D9AB206D23631962
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc52355237_667189451?hash=7xGZU0cMYSHNqbzqt2AP9GuJLwlmznUeKyo3yrg5rzz&dl=tPinVK3RMIvQ70nVe0pPupJXUSRp3ZjBF5nI6sw73zo&api=1&no_preview=1#1

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-20 11:11:42 UTC

Tags:

stealer redline sinkhole

Link:

https://app.any.run/tasks/7d9065a0-c8fa-4f36-bf35-c2ea965eae91

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Pwsx-10011340-0

Win.Trojan.Trojanx-10011459-0

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/65325cc2cd0633254b85d46c/reports/70a23f6b-d3ef-41b3-ac31-fde6e5d3a062/overview

Verdict:

Malicious

Labled as:

TrojanSpy/Stealer.fk

Link:

https://www.hybrid-analysis.com/sample/1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e3f7a961-08bd-4058-a7d9-41d711f14be7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1329198

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

83%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-20 10:56:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=domyronbd4kkmmtqgqrezxcibzqkkwxronbkqmzjbs2yezwwwska._file

Verdict:

malicious

RedLineStealer

0d2075b728700bacfa79dc4138df8e89a8d3a67221f612d2997968598b6285b3

RedLineStealer

2e2208d8929729766d184b02f6030a0b77fb560c1bfbb69e2c56479623083675

RedLineStealer

6d2ec231112b3cfc9f4b22c0d21866be80d39c68ddc0358bdad12284e4783ea2

RedLineStealer

9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff

RedLineStealer

adad848bf6d7a20eb9faef8413be0071b82fc7b237c867e15e05e7d5600d23ee

RedLineStealer

bbb535e87b6d2fde49c6b143af1a003b5670b422937c9dd0cf5424bd212dfc01

RedLineStealer

da920bb04ee50d8842f01eda3e8eafde082331df010631fc8d0a2c20af911e98

RedLineStealer

e6e34973f51bfecb0dea2825753f1db7414549d9e794bcdf8191b1d8486ffcf9

RedLineStealer

f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3

RedLineStealer

+ 1'631 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware

Link:

https://tria.ge/reports/231020-m1nxksbe28/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

171.22.28.236:38306

Unpacked files

SH256 hash:

18771aab0d37ea21e0176445b17b75d145d9fc688a185e50293242c829566a73

MD5 hash:

ed7e9a6e6ce54ff2fc91b83cb84f422f

SHA1 hash:

5cbab5f2f27eea11b4efcd984547bb6389f23069

Detections:

redline

Link:

https://www.unpac.me/results/ba840f97-e544-48c4-b89d-846889f9bde8/

Parent samples :

af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570
1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494
34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953
efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1
f57d924e1c1b97aba0abe02943b16850bdd22d5eb6c5f9df5acfc420994402fe

SH256 hash:

1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494

MD5 hash:

7b19de9645f02b96f066a132497be901

SHA1 hash:

41d03bddc1530e25c7e8dceed0f6300d18ba1aee

Link:

https://www.unpac.me/results/ba840f97-e544-48c4-b89d-846889f9bde8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1b9988b9a11f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample