MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
SHA3-384 hash: 838d7ef51d4db50ae4ff6b6d34c1c6b0ef8ba0de59aa2871730de1c749df176edc0c0e1b525d8c98f11ae53f87a56308
SHA1 hash: f30bfba63ff4ea5c73048631bdadbbd37d22ffb0
MD5 hash: e8267780010f1b79d10d22bf70ba6f5e
humanhash: low-avocado-comet-arizona
File name:e8267780010f1b79d10d22bf70ba6f5e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:357'376 bytes
First seen:2022-04-01 19:08:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:fBlkZvaF4NTB36TS5eLB2GoVSnQxJLP4EcMVG9gXulR8zV6LGU59PgK/Tis:foSWNTpazASnQxJLwxMV3XulR8x6r59j
Threatray 120 similar samples on MalwareBazaar
TLSH T10F740154B3F142B7E5E1453200B561AF9B3953346B11E8EBC78C2D819863AD82F7D3EA
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Sending an HTTP GET request
DNS request
Forced system process termination
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12364/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62474dd61f2042394866f7fb/reports/c52a8307-4ec0-4f78-a9a1-2bda54946a59/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/29106ff1-a104-46d8-8b71-47ea854612b5
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/969223
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses BatToExe to download additional code
Yara detected Babadeda
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 601710 Sample: BhyzQZkTBA Startdate: 01/04/2022 Architecture: WINDOWS Score: 76 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected Babadeda 2->31 33 Machine Learning detection for sample 2->33 35 Yara detected BatToExe compiled binary 2->35 7 BhyzQZkTBA.exe 9 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 7->25 dropped 10 cmd.exe 1 3 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 37 Uses BatToExe to download additional code 10->37 15 extd.exe 1 10->15         started        18 extd.exe 2 10->18         started        21 extd.exe 2 10->21         started        23 extd.exe 1 10->23         started        process7 dnsIp8 39 Multi AV Scanner detection for dropped file 15->39 27 transfer.sh 144.76.136.153, 443, 49766, 49767 HETZNER-ASDE Germany 18->27 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-01 19:09:11 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
266a45969422bf72c70f51789a21f70f175f12a1e8b387b0dfcf6bf3f71c68e4
RedLineStealer
39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
RedLineStealer
4710c5debc1ad17a85ef82676a4b6b7e15054966de57b0f4bab61c4ede209830
RedLineStealer
68468e56e132b170aabb28e2868b1dbd0bf40f14c0b0406fe78ad3c71ce9f527
RedLineStealer
6e34f951634493ec7a71e5c3418ed7d973ffc87351a5459722e04016c94b1471
RedLineStealer
80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105
RedLineStealer
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
RedLineStealer
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
RedLineStealer
+ 110 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer suricata upx
Link:
https://tria.ge/reports/220401-xtr1rscabp/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Malware Config
C2 Extraction:
78.24.216.5:12794
Unpacked files
SH256 hash:
1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
MD5 hash:
e8267780010f1b79d10d22bf70ba6f5e
SHA1 hash:
f30bfba63ff4ea5c73048631bdadbbd37d22ffb0
Link:
https://www.unpac.me/results/1abb7796-9396-4ccb-bc42-b536cac28c00/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1d1c688d1179/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2022-04-01 19:08:46 UTC

url : hxxp://212.193.30.29/WW/file1.exe