MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c2eda4db0f0cfb353ff0646672d055e2864daaec0bae7e66c90a405dcf3ea39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	1c2eda4db0f0cfb353ff0646672d055e2864daaec0bae7e66c90a405dcf3ea39
SHA3-384 hash:	70a3ef56a5e9d2237880df31aeee1f97f59cff504f5d1bbdbecbd1a5fc85fa77ddfa1a8e83fcd15702b2ec2c2cf0817a
SHA1 hash:	1a208c6722924c568dc86fc51ac580a4f459213e
MD5 hash:	a8150c09777efeb0e755abd6cbc36b5e
humanhash:	network-yellow-fifteen-october
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	478'720 bytes
First seen:	2022-11-19 10:47:16 UTC
Last seen:	2022-11-20 07:34:43 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:5h3DJ51cfJnPPaP9oysOM+YACPP/tOMyHoNxTVLqcYVkY6RLI:5h3DJ51IJnPPw+ACh9mV0RU
Threatray	621 similar samples on MalwareBazaar
TLSH	T137A4F11EB3546AE1CA3464737614CB9087B0DEDA8C8CDAD66D7E3DC0BD72368385A8D4
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0d8949aaad4e8f0 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc760750097_656393376?hash=OHT8VCqVKySiQd2YiP8yYz8d4xNH7dSsU0UQ1b6MOlT&dl=G43DANZVGAYDSNY:1668854080:BZaAz1LxXZLLlLsywoLXDWPq1MtdMZfKRqMvwvyw2a0&api=1&no_preview=1#maf5

Intelligence

File Origin

# of uploads :

574

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-19 10:48:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e1f924c7-ee85-4d41-9aac-33bfdd816a48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/336098/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.30087.8344.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Сreating synchronization primitives

DNS request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6378b4636fda73cab64e7dd7/reports/e1d441c6-2c4c-4af5-9039-d00dcb137f09/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa4bce43-9085-4555-b119-166418efbdaa

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1117112

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c2eda4db0f0cfb353ff0646672d055e2864daaec0bae7e66c90a405dcf3ea39/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-19 10:48:12 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqxnutnq6dh3gu77azdgoliflyugjwvoyc5opztmscsalxht5i4q._file

Verdict:

suspicious

RedLineStealer

019a02c78ac08e21fb8eb9b6bd4c120d56d24077ae385fa959efa70ed890309f

RedLineStealer

26e9c2f05c547a575d40b66a4feb317af53b65062611eea7ed6005e0ed88d1e9

RedLineStealer

2c735406da96a49a4d79b1cfca607013dff88e49c5d1526e5a04f4a32111d785

RedLineStealer

544ccf26cf0038cc8d76b952e349f3e49db27e4d2cdc89ea72fa2fb8e8996038

RedLineStealer

623c410c316befe7e6cf4d8459bc0d112d7462b40dd31c524f10f268f1ef378e

RedLineStealer

af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b

RedLineStealer

fcaf490e6ee9254f89eecbce2dd1dfa355e450c30a8648e7db43db4c5e9e434d

RedLineStealer

ff861cbd5dd1021564dbd050ee3cc084a7cc05d45295b3abd3ceb1cf020b7a9a

RedLineStealer

+ 611 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:usja infostealer spyware

Link:

https://tria.ge/reports/221119-mv4e3scc3w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

RedLine

RedLine payload

Malware Config

C2 Extraction:

109.107.191.169:34067

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/26c99987-ce73-4639-8d86-291a9688811f

Unpacked files

SH256 hash:

1c2eda4db0f0cfb353ff0646672d055e2864daaec0bae7e66c90a405dcf3ea39

MD5 hash:

a8150c09777efeb0e755abd6cbc36b5e

SHA1 hash:

1a208c6722924c568dc86fc51ac580a4f459213e

Link:

https://www.unpac.me/results/003d8e0e-3c3d-451e-943e-690f12d5664c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c2eda4db0f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/336098/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample