MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b
SHA3-384 hash:	7e842a25301f1ec67b61ab4364d81d4d5b0df702f3292df702512bb2c9b583a2a32074732bdb2200edd41e6afa901f6e
SHA1 hash:	2a3b6aef90a53bbd98a751b3392d2f428f50b72c
MD5 hash:	b91943796cd015e0644b38477cc22330
humanhash:	william-mobile-delaware-grey
File name:	b91943796cd015e0644b38477cc22330.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	350'208 bytes
First seen:	2022-06-28 01:37:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f0888305a369a44455dcf5f4e579ce7 (8 x RedLineStealer, 1 x Loki, 1 x Smoke Loader)
ssdeep	6144:fPJxXUwWXmW1mhNsAk1SpZUXABWcjVQRRu5PIgu3z8CbT0p7ITsqX/m/:fPJRNWXTY7sAk1LXwWCORuSgu3zPsp7R
Threatray	3'950 similar samples on MalwareBazaar
TLSH	T1CA74F1E0B7D0D831C46235305872CBB26A7E7C12E670858B7B786B2E6F747D06A76346
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0ee072f0b6364a32 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.81:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.81:23196	https://threatfox.abuse.ch/ioc/729655/

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/283735/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/62ba5b7c03fa367ea5832155/reports/236e6ec2-f4e9-4c42-8ed2-88e2b3e71c37/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a255933-0fc7-4ba3-afd1-50a27d0198c9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1020838

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-06-28 01:38:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dvv2xkeacetdpodz3rb5e6w7uyardvqsuidwkjnjxdv3m3jthz5q._file

Verdict:

malicious

RedLineStealer

92e85887b5f35032451e99dfaafc6968e68c26c274c9f5757b70691fe116a9a8

RedLineStealer

9632ef251fc7538bbf3d50d17035c5ceaf3d7a0fb571e424d0c3c28a829cdf85

RedLineStealer

9fd81825d63ea65fafe9ce234eea9459487a5408bed2a9df0158b45be4be7553

RedLineStealer

b391f976ef1b8d61400aee7717095db388174e8c0198624b3766ed020c2d656b

RedLineStealer

c8037e53bce9878999866f4f25aafb4469e2a0b91d4c64d3b3f16f4e77a23f10

RedLineStealer

c92d7fe17a1517afd048abfc4292cdbcb6b7fc9419c42dfc2b51fb841beec8dc

RedLineStealer

cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b

RedLineStealer

e005f84bd0131aee8f28b996dc349755184750012242412cadad077f6d06328d

RedLineStealer

f1d35589ab4afd274172a3a899254efcb6aaac6d50cb0e192bf93d162a1d70b9

RedLineStealer

+ 3'940 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzkii discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220628-b2dmfsgbg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.81:23196

Unpacked files

SH256 hash:

2c600d2053fce971407d90ad808667349b084b5079e8cae76d0f18a61b371dcc

MD5 hash:

0a28804300b70fed45f854fde1a32f8f

SHA1 hash:

88dff253847523959a085a13dfca7ea879134a79

Link:

https://www.unpac.me/results/1b996ce4-53d2-4def-8878-78b311a57551/

SH256 hash:

2a03df14438771d6dda40f13fdce7dc6098b3fd1b49f4a7829982af16c38258a

MD5 hash:

abf42202549df9591e9ac220c20a4c67

SHA1 hash:

5c6ee2d6deb4719dc3969da488b0d77e2005dcb2

Link:

https://www.unpac.me/results/1b996ce4-53d2-4def-8878-78b311a57551/

SH256 hash:

12b8f1feda7e36038879c8c11404e3fb6945ca97ca252d684add5efe4b4d55c7

MD5 hash:

c0052d9305521ba28fd8e5025cc962d7

SHA1 hash:

40337d4959bc384f4b21a33d41f601f70adbfe86

Link:

https://www.unpac.me/results/1b996ce4-53d2-4def-8878-78b311a57551/

SH256 hash:

1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b

MD5 hash:

b91943796cd015e0644b38477cc22330

SHA1 hash:

2a3b6aef90a53bbd98a751b3392d2f428f50b72c

Link:

https://www.unpac.me/results/1b996ce4-53d2-4def-8878-78b311a57551/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d6baba88011/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.