MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee
SHA3-384 hash: be6f65ab3b50df6a480c058b54fc65ed0cac9a6fe3570d566bb56c5fe422e71b2ccf73121915612a127656d59e081b0f
SHA1 hash: 7df7e0d23bfedb44e49eb496e5ac14c1308f58ed
MD5 hash: 6a59144d4ce51d4ae147c3da00914071
humanhash: black-december-golf-venus
File name:6a59144d4ce51d4ae147c3da00914071.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:367'104 bytes
First seen:2021-09-25 09:28:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f74a0f3da1e112835a6ac32552c0a4d2 (9 x RedLineStealer, 5 x ArkeiStealer, 4 x RaccoonStealer)
ssdeep 6144:XkLmyrom0SbBZ5/JADF7319oJGje1ylfuLa7BVWal3pdh:XkLmyrom0SbBJcT19oUi1y8WRz
Threatray 2'092 similar samples on MalwareBazaar
TLSH T13974AE10B7F0C034F6F352B949B992B8A93ABDB1AB3881CF62D516EA56746D0DC30357
File icon (PE):PE icon
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.15:6043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d840e5bd0cf66a7913f064e53c3d657f.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 21:21:57 UTC
Tags:
evasion opendir trojan rat redline loader stealer
Link:
https://app.any.run/tasks/9ae08c20-491d-4784-bfc2-f88cfb6cdcf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191439/
Detection(s):
Win.Packed.Generic-9896112-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ec24c52-a7d7-49b0-8724-59f59e278380
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857986
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-23 02:17:00 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=do3ybb2myjehwujbsn3oflaj4jmw7xsqyyn2becnlcuvstpgjpxa._file
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
0b1fa4775b6b671c54f187b9b55911ee1047ea1e5eff00d6272f50b4e4b2e169
RedLineStealer
0b396848e98cfeb35b16b565250d22aa58c449e59c0a1692b5dde580b46fae1c
RedLineStealer
2845a0336311d26575009dd5532c52b55c6f245bf81d7b44850a0418375dd32b
RedLineStealer
5cffc39cd5dcd571e6e0085fe9f5310742071cfcf0ba2f797651a47784721c69
RedLineStealer
8b0d5e431a0e9caab067ece82c2898714b34ee4da850586b4353ead178a1c67e
RedLineStealer
8ed4276b7bd2b1c80107c6817a5d18fdd9a88e6c69a5f8fbc0613fd682cbe744
RedLineStealer
ab3288194f8b5415adfd976b30e88cf5baacb4492c55420799dca60475a76933
RedLineStealer
c66764b93df9c99eefa1b4de4103d468700df6e547e94d974d7fdb1bb658aa14
RedLineStealer
eb0ed0f454c867f51b23ad4ad763971915d187fc9e45a719c7dd866d4cc51384
RedLineStealer
+ 2'082 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix23.09 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-lfxtbaahbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
9ca4da05abcb973a6b38cf0f5b869fd9c9dbd78ebc7fff3b5c871560c6745ed0
MD5 hash:
9a511d270e8379877d1d65585b53b848
SHA1 hash:
e4a1af86fe64c1cff07de9665adf1a871ecfe58e
Link:
https://www.unpac.me/results/780485f1-4474-4560-a2fb-9b0bb40ee240/
SH256 hash:
b84a56ef4f7d0e4fad665d2a0b795877c08ac2e1c4893b31ad7c786fed064af0
MD5 hash:
beb14d079d21b873f249e3de15e37596
SHA1 hash:
be2c08998c96ebccc577aed7ade51b5139411138
Link:
https://www.unpac.me/results/780485f1-4474-4560-a2fb-9b0bb40ee240/
SH256 hash:
a4e62a7b1a39ddcae7c26cacd4df50327ac14e52b1a0a2b5a5101730a805eca9
MD5 hash:
17a82b369d36d710dcf2a3311b30fe0b
SHA1 hash:
b0ea090ae41196e1017e6c44f065be25ef554ce8
Link:
https://www.unpac.me/results/780485f1-4474-4560-a2fb-9b0bb40ee240/
SH256 hash:
1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee
MD5 hash:
6a59144d4ce51d4ae147c3da00914071
SHA1 hash:
7df7e0d23bfedb44e49eb496e5ac14c1308f58ed
Link:
https://www.unpac.me/results/780485f1-4474-4560-a2fb-9b0bb40ee240/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1bb780874cc2487b51219376e2ac09e2596fde50c61ba0904d58a9594de64bee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638129/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191439/

Comments