MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 8 File information Comments

SHA256 hash:	1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8
SHA3-384 hash:	cf65f30cf331443ded3f5e4d55bb03e62562dfe7016163b03e127bac5a055c5e1036f6d2997b3908438466c76a5c3ddc
SHA1 hash:	bafdf7ba1adc69ba408f892d4067dd950307cfcc
MD5 hash:	70b6050624c2833c34181a75275a609a
humanhash:	lamp-skylark-ink-lactose
File name:	70b6050624c2833c34181a75275a609a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'244'312 bytes
First seen:	2021-08-04 20:55:59 UTC
Last seen:	2021-08-04 22:24:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:nrwMEV7sz/kduOF/wWfpQbxmgaEyaHfdNYAkc:nrwMkKGnw1mg7vL
Threatray	821 similar samples on MalwareBazaar
TLSH	T18D45027F76C08F09D5681975C1E3893403E2BED2B236E7093E54728A0D727A9CD9E386
dhash icon	b692c50c69288556 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
195.149.87.79:12439

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.149.87.79:12439	https://threatfox.abuse.ch/ioc/165720/

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

70b6050624c2833c34181a75275a609a.exe

Verdict:

Malicious activity

Analysis date:

2021-08-04 20:59:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/96719493-00d6-4bdf-923f-b399d20af6b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176459/

Detection(s):

SecuriteInfo.com.Artemis70B6050624C2.11095.26971.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be4dec76-9691-42ac-93a1-a3547e304433

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827950

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-04 17:32:33 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=doqoiqca44j53ro6u3swixcy6lcbghmqonb6j23hwpdqjpos2tma._file

Verdict:

malicious

RedLineStealer

17dfa2e1768aa1ef822527eec763f22090807a4aa4a674e8924090e7bc37bbef

RedLineStealer

45d8a91be1d071837969fc7801a224b06e918bdc813e7ec14348abf8d0810312

RedLineStealer

5862f38c79bc816b3158d8171a1f54c156a4f0565d4b98a1ea5399c92b732464

RedLineStealer

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

RedLineStealer

9b67caf9dccb8672273f6b0715292e69f323510f09dbfd7dbf3bca8522bcdfe0

RedLineStealer

bb9a6242991d0d9bf29011e503cb679537dda42fab5451869ce866b3dada19ca

RedLineStealer

f346f4ae05a7e12052e7cac276b2b812b15d3459ad00e4b1bdb21394e7d37cde

RedLineStealer

+ 811 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build smailik discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210804-32sc14w52a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

195.149.87.79:12439

Unpacked files

SH256 hash:

0e178ff17efefc26adc8f40b0d991e15530b254927316b1f5d491154baf57a8c

MD5 hash:

0e4c2e065a6f2f1eb79a0d2e1faf93b1

SHA1 hash:

9b0cca215bd3a353d670a9cb38df2d2be7afed98

Link:

https://www.unpac.me/results/249203f6-930d-450b-b195-4edc35440c59/

SH256 hash:

757f4ac896659eec5728e2778cc19b6ac91d81d5ac5b8f607c78b1050df7f1d3

MD5 hash:

ff7a16e4cb5ff7908adc74991c14aff7

SHA1 hash:

3b0a58048e1e898c92de0bc143e56a06d935fa78

Link:

https://www.unpac.me/results/249203f6-930d-450b-b195-4edc35440c59/

SH256 hash:

1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8

MD5 hash:

70b6050624c2833c34181a75275a609a

SHA1 hash:

bafdf7ba1adc69ba408f892d4067dd950307cfcc

Link:

https://www.unpac.me/results/249203f6-930d-450b-b195-4edc35440c59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)