MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
SHA3-384 hash: ae02164f438890757e464e97bb023a7b3d99fec49a5cc05b7c6d1fbe269b4147a5eef2a241336de595b43c5f0d6230b2
SHA1 hash: 1a2888be54c1f1a5c2c29f53811563b23adb6c84
MD5 hash: 6bcacba2cf1856b068538f3259a1ba5f
humanhash: wolfram-north-nuts-solar
File name:6bcacba2cf1856b068538f3259a1ba5f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:414'720 bytes
First seen:2023-02-06 10:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13dc564127b9f6b618808536c7e12f68 (12 x Smoke Loader, 12 x Tofsee, 9 x RedLineStealer)
ssdeep 6144:hAxLk7ooe6qCgpF9DisMhOmasjn4jPWZYf5UVS/fuk6o:hImTCRbJisMh3asjMP+Yjfr
TLSH T1E694BF03EAF27C53E92287729E1EC7E8769DF5508E18776512288E1F14713B1D7B3628
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 480c0c940c1494c0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.7:4138

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b8796b74692a8a9d0833129538c53b2b.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 10:12:50 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/f86dcd4f-8fb3-458e-8ccc-8f6d946cc383

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360787/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63e0d5bd447edb203a02e6c8/reports/b7b432a6-2382-408e-b431-20acdca8ee80/overview
Verdict:
Malicious
Labled as:
Ransom.788A61AA
Link:
https://www.hybrid-analysis.com/sample/1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1385eae-b355-4d73-98ec-db8960092083
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166491
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 10:11:52 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvi6bfscnczvv62dgicrhlmyg7wgwhal2dswazpk2xmzwoczm62q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:bilod discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230206-mgh7zsgg2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.7:4138
Unpacked files
SH256 hash:
95b22384041f920e2d5c6dbb86886bf8de7b19441f05b05654d22a4188e04a50
MD5 hash:
ad45a06c16d0e11a346b8e06e514f6c7
SHA1 hash:
aca7ac9af6f065648b559be441dbb2a639dcb9a2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/eb596d8a-12ac-475b-9432-6c0d27722af1/
Parent samples :
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
a373356377baa29111c9c78123b35689f35dd91d6b440262646078d6571cecf1
SH256 hash:
56d331d10b814d3bf111a7be43ded93212f1a6538b7f1ed27b36ef01552c6ed4
MD5 hash:
ed50aef1e5392cc41f2f7ad564197b86
SHA1 hash:
79abf2fb46e76cd7ee994cf40120483a6181548c
Link:
https://www.unpac.me/results/eb596d8a-12ac-475b-9432-6c0d27722af1/
SH256 hash:
736c3be20841c64e8c3494022027e9cb478a3c34338fa576c02372bb1c1c6470
MD5 hash:
a21d55f20608a424700512cbe24c33f4
SHA1 hash:
5d7279d9107ed162f466a284a966df2195e3b511
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/eb596d8a-12ac-475b-9432-6c0d27722af1/
Parent samples :
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
a373356377baa29111c9c78123b35689f35dd91d6b440262646078d6571cecf1
SH256 hash:
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
MD5 hash:
6bcacba2cf1856b068538f3259a1ba5f
SHA1 hash:
1a2888be54c1f1a5c2c29f53811563b23adb6c84
Link:
https://www.unpac.me/results/eb596d8a-12ac-475b-9432-6c0d27722af1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d51e0964268/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2528642/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2529227/
Cape
Cape
https://www.capesandbox.com/analysis/360787/

Comments