MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d
SHA3-384 hash: 6b1e0aad605b7a1e2631cebb2fcb67d7461831b7d341af368c98ca7ef048ab9c3886e723535f678ef17921b40ddb334d
SHA1 hash: 3f0cbb0eed2cbe44893c15d4ced4c52e834fb541
MD5 hash: 7cef475a0a280314a00dd3a2727f82eb
humanhash: magnesium-social-nine-triple
File name:New Kiddions.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'974'464 bytes
First seen:2022-11-07 19:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0fd263b05a2900e145ed3176092ae55 (1 x RedLineStealer)
ssdeep 196608:4K9vfEGvUZ5eUXS0yTSlbmHErjiCmEGgBKay1IVO:pF8Gvo5e30yT4yTEGgBK1IVO
TLSH T1706623632161C189E8A68B3CC627BCF1B1F21E6AD941887F64FABDC13570AE5D513B43
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1865676565a52158 (3 x RedLineStealer, 1 x Neurevt, 1 x ArkeiStealer)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
New Kiddions.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 19:27:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b0fbd35a-363f-44c5-b01c-8a71dad26893

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330184/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63695d331b78baadf87f9030/reports/19f587b6-17eb-4260-a673-559d1dd6d2aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0852e7c-fb5a-4b5b-bc81-22ffe82c7953
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107621
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740282 Sample: New Kiddions.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 9 New Kiddions.exe 1 2->9         started        process3 signatures4 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->53 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 12 AppLaunch.exe 15 7 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process5 dnsIp6 37 193.106.191.160, 49700, 8673 BOSPOR-ASRU Russian Federation 12->37 39 dl.uploadgram.me 176.9.247.226, 443, 49701 HETZNER-ASDE Germany 12->39 33 C:\Users\user\AppData\Roaming\app.exe, PE32+ 12->33 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->61 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->63 65 Tries to harvest and steal browser information (history, passwords, etc) 12->65 67 Tries to steal Crypto Currency Wallets 12->67 21 app.exe 12->21         started        35 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->35 dropped file7 signatures8 process9 signatures10 49 Multi AV Scanner detection for dropped file 21->49 24 powershell.exe 11 21->24         started        27 powershell.exe 5 21->27         started        process11 signatures12 51 Queries memory information (via WMI often done to detect virtual machines) 24->51 29 conhost.exe 24->29         started        31 conhost.exe 27->31         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 01:34:48 UTC
AV detection:
22 of 40 (55.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ew5rxdqwhlhwr4da6iogndhuvs3vihsgsr5pcpyrwbmbz2t4x4wq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@crxnix infostealer spyware
Link:
https://tria.ge/reports/221107-x8xvkaece5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.160:8673
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6a741b7-38b2-4d96-8a83-28386632f366
Unpacked files
SH256 hash:
1333593ac587e1a3e1e96c675b0779203ea0f49fda16efd1da634d13897426b0
MD5 hash:
5bc9ca98d4f0db06447a956188fe5f3d
SHA1 hash:
584bd58cc1a1ba13f6edc1eab4ef81168342454f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9b387637-8bc6-4d3c-a1e6-f9a9179266a6/
SH256 hash:
ea030f329ee35d159c434592eaa09b0965dd849779426b0d844fc5b307d79767
MD5 hash:
79c95dd92d604fce9ce0fd1618f891cb
SHA1 hash:
445bd56eebbdfd0ae44d07be1ecf2a415c2008be
Link:
https://www.unpac.me/results/9b387637-8bc6-4d3c-a1e6-f9a9179266a6/
SH256 hash:
25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d
MD5 hash:
7cef475a0a280314a00dd3a2727f82eb
SHA1 hash:
3f0cbb0eed2cbe44893c15d4ced4c52e834fb541
Link:
https://www.unpac.me/results/9b387637-8bc6-4d3c-a1e6-f9a9179266a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/330184/

Comments