MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f
SHA3-384 hash: 6f4ca0baf7658c1bb5650885dce38a0dd32a933c326dc9183295fd9c1ccf00b4fdc16b350cd528e1f6cb9438ca32f14c
SHA1 hash: 744eade13828533e7f0fa5c91cd963e88b205402
MD5 hash: fedf404b97ebf25a2df2b7456bbdd974
humanhash: cardinal-fillet-princess-carolina
File name:fedf404b97ebf25a2df2b7456bbdd974.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'165'951 bytes
First seen:2021-10-19 13:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 24576:T20gPgFKAjkQxAVBbIcXV6uv8A6td2/h2r9y93/ogwk3aNk:KKLxAjIEAN+gJMz
Threatray 285 similar samples on MalwareBazaar
TLSH T1E045AE346FB0D835D19E86311B346B14A639EEB736638382ED5AF64E91F25403B36393
File icon (PE):PE icon
dhash icon 68ccb0f0d4e8f0cc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://94.103.88.253/pcbooster.exe
Verdict:
Malicious activity
Analysis date:
2021-10-18 23:30:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/95b6d6ec-a380-4d6c-a910-40139b93c92c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198515/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Deleting a recently created file
Self-deleting of the BAT file
Launching a process
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Launching a tool to kill processes
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/616ec9c5db358dd15ec4a889/reports/45e76be5-53b0-4722-a011-85f241ba2bf2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1edd7c1-7608-45c7-9e06-44a356a324a1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873796
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 506224 Sample: uKkxgSD6vp.exe Startdate: 20/10/2021 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected RedLine Stealer 2->66 12 uKkxgSD6vp.exe 3 7 2->12         started        process3 file4 48 C:\...\KR0923403904322FT.exe, PE32 12->48 dropped 15 wscript.exe 1 12->15         started        process5 process6 17 cmd.exe 2 15->17         started        signatures7 60 Uses cmd line tools excessively to alter registry or file data 17->60 20 wscript.exe 1 17->20         started        22 KR0923403904322FT.exe 5 17->22         started        25 conhost.exe 17->25         started        27 3 other processes 17->27 process8 file9 29 cmd.exe 1 20->29         started        46 C:\RKL4099023598809324\pgamer.exe, PE32 22->46 dropped process10 signatures11 68 Uses cmd line tools excessively to alter registry or file data 29->68 32 pgamer.exe 29->32         started        35 taskkill.exe 1 29->35         started        37 taskkill.exe 1 29->37         started        39 5 other processes 29->39 process12 signatures13 52 Multi AV Scanner detection for dropped file 32->52 54 Detected unpacking (changes PE section rights) 32->54 56 Detected unpacking (overwrites its own PE header) 32->56 58 3 other signatures 32->58 41 pgamer.exe 3 32->41         started        process14 dnsIp15 50 185.215.113.107, 61144 WHOLESALECONNECTIONSNL Portugal 41->50 44 conhost.exe 41->44         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-18 22:01:08 UTC
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eruuo47k4rzsj5m3cuq72uydwn2c3ofirylxkfxpshyusm7ddaxq._file
Verdict:
malicious
Similar samples:
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
RedLineStealer
5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7
RedLineStealer
9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146
RedLineStealer
9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
RedLineStealer
b8ca6d1a4a9eb79150cc8ac9a36f1c5f9448be4b41eae668b5e32c25aa34a837
RedLineStealer
cb8bd17e49390c51c71aeb5176fabd5c0dcef8aca83c7dce4af0b3e378c2e5ee
RedLineStealer
f71af69d5802a003452e0401c936c344911f215d6d8a9f34359b9d1cdc758542
RedLineStealer
+ 275 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mew discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/211019-qv9hwaggdk/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.107:61144
Unpacked files
SH256 hash:
54a2d4afa0c3ca6c540817b4ce27bfaf7f5003e6c9cfeaba7b2a34bf5178b98e
MD5 hash:
95f8f5196dbfbe175f40b00a59b151d6
SHA1 hash:
f2c0639e367bb3d6165f7f081c60cee65a60feb2
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
SH256 hash:
08478423896cf55a624df83fa3e9b48c14231ea87ac2947928fe2e2900ce201e
MD5 hash:
a6f6b05deb8368929e494a6d4819ca62
SHA1 hash:
7d412b56215aaff373673b70a29d711c70737805
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
SH256 hash:
1ed1d070019e8edd161278c4204d91bc0567b50e75040aae13b23ded53674ccf
MD5 hash:
e7214f1264be8494193ea25186546397
SHA1 hash:
ecc9681439aaa5ef4a442238bc875ebbdf4b54c6
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
SH256 hash:
96a481ba5c3833bab1c48742d943e5c7d2221342d2b5734ece5403d931693d43
MD5 hash:
7a8e95d06cdd6cdd188b6d44c39bbf4b
SHA1 hash:
3879839bed50a6a3fecd94284cde7523f6b00a0f
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
SH256 hash:
72f2f4adf630cc4b5df5987c2c1780c24cd992ff44048e3c45b612c0256a9d7f
MD5 hash:
32f73694951a1e5ee6ede05c194fd717
SHA1 hash:
845171b24e952abc2efccf9050e3550a109b1b74
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
SH256 hash:
24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f
MD5 hash:
fedf404b97ebf25a2df2b7456bbdd974
SHA1 hash:
744eade13828533e7f0fa5c91cd963e88b205402
Link:
https://www.unpac.me/results/c916be8f-275c-4268-bf24-0990c7a41a32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198515/

Comments