MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bff47288ce92dfc991c5fe4154a8ba90a356064eee720a785fabf4564d67365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	1bff47288ce92dfc991c5fe4154a8ba90a356064eee720a785fabf4564d67365
SHA3-384 hash:	beb44955a04a6fb266dd22ea5beecde707c7c8de0128b3f2430d56f017638cb3f8f730abf94acd9ec195b5a9b500819d
SHA1 hash:	d0edf0cae17dfb1579fbdd999de885776e95d88f
MD5 hash:	ac1ecb633ecbd7fed4c661f042dafd8b
humanhash:	enemy-fifteen-quebec-carolina
File name:	ac1ecb633ecbd7fed4c661f042dafd8b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	304'128 bytes
First seen:	2022-11-25 17:49:54 UTC
Last seen:	2022-11-25 20:38:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5e68478b6a88e435e2a2d481d073e066 (6 x Smoke Loader, 4 x Amadey, 3 x Tofsee)
ssdeep	6144:5sLIL03zPNlzOp+SJgp3RqEdzLwvwWpc0:q0IzPNlSEsgp3RqUwoql
Threatray	11'709 similar samples on MalwareBazaar
TLSH	T1815402317A10F873C48764744939DA90AFB9B63015B8D64BBB5806BE9F306C17B3E74A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	2dac137039939b91 (13 x RedLineStealer, 9 x Amadey, 9 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

549

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ac1ecb633ecbd7fed4c661f042dafd8b

Verdict:

Malicious activity

Analysis date:

2022-11-25 17:52:05 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/2c93fbc9-edac-4bee-811c-391f314384d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/338535/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.3324.6012.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed

Link:

https://www.filescan.io/uploads/6381004b151dc20f68a7bdc7/reports/49c31fb8-b34e-45ff-88e0-778e739f60c2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/107e4877-d01e-43d8-88f9-94d93dee1958

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1121285

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bff47288ce92dfc991c5fe4154a8ba90a356064eee720a785fabf4564d67365/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-11-25 17:50:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dp7uokem5ew7zgi4l7sbksulvefdkyde53tsbj4f7k7ukzgwonsq._file

Verdict:

malicious

RedLineStealer

0bd4b94ef5e037092835ff74b1ca2c0ec2d34e6d34f7fd29160d747e0d9b12cd

RedLineStealer

25f4009278206d432081f8d3735cbbf7e3888a2e4f0bcf28c446ebae2b3c6c90

RedLineStealer

5ee821467a11f10fff154dea1df3b674053d0927415c21b50d71cc89c84af517

RedLineStealer

6792bd35a4de116b29f3c10fc30e74f28d3437eb58a98def8c037261b104c94a

RedLineStealer

7b07c223a9901226587ee913ee4cb4eb192aeefea2d426476d3574c01a394a20

RedLineStealer

a651001136d322283e08a68956eb21ccc97d37a92dbf9635be65d02f340cd825

RedLineStealer

d6975d134cc13b002f41d1637336ae8e793da8f5024456f71b01123dc5d5c132

RedLineStealer

+ 11'699 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pops discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221125-weksgagd2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

31.41.244.14:4694

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7dad1f3f-daf9-40df-901b-27a071148cef

Unpacked files

SH256 hash:

0556df377ead30cda6b86f93c8d55d974c0d0e0c74b4b5b14e8d243374676bb9

MD5 hash:

243f3daee6ac92c00a6f3e702166c51e

SHA1 hash:

6865ba9c11b7ab832adc813bec154927318d0a55

Detections:

redline

Link:

https://www.unpac.me/results/65f9ce02-dd2d-41cf-91a9-cece32470d69/

SH256 hash:

11bc82beea3e3f93affbbb370302e82d3e1b69d407ebf12a76c37308e420b981

MD5 hash:

13415c7aa3066d9f23258b705e8d96c8

SHA1 hash:

5eace7281304eade4e68ab84624c5c2343ee5b3d

Detections:

redline

Link:

https://www.unpac.me/results/65f9ce02-dd2d-41cf-91a9-cece32470d69/

SH256 hash:

8d73b55d4e128263e4c1edb1a6af20a63e80e4505d7e454a1a77668a00652cdb

MD5 hash:

50e94f98e68cb0e22bf265d06306e8fd

SHA1 hash:

1bbe582cf636422434fdeaf997515a4f91c26fd2

Link:

https://www.unpac.me/results/65f9ce02-dd2d-41cf-91a9-cece32470d69/

SH256 hash:

1bff47288ce92dfc991c5fe4154a8ba90a356064eee720a785fabf4564d67365

MD5 hash:

ac1ecb633ecbd7fed4c661f042dafd8b

SHA1 hash:

d0edf0cae17dfb1579fbdd999de885776e95d88f

Link:

https://www.unpac.me/results/65f9ce02-dd2d-41cf-91a9-cece32470d69/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1bff47288ce9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1bff47288ce92dfc991c5fe4154a8ba90a356064eee720a785fabf4564d67365

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.