MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 296cd5651b7b3513ce3d8b9cde7afe49638364ae715314f699e9bf1709f858db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	296cd5651b7b3513ce3d8b9cde7afe49638364ae715314f699e9bf1709f858db
SHA3-384 hash:	7ee20ab969358d69f1d4961d33832c22c626a2749021668bf20c0fedc3a7eea20556325595e48e25460bb8776fce9e47
SHA1 hash:	ef06cdec3ff3e4b04d2cb756f0af5557e7c30320
MD5 hash:	0da733a94f661480cf9564a167622077
humanhash:	princess-winter-vegan-oxygen
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'461'696 bytes
First seen:	2022-10-27 17:14:37 UTC
Last seen:	2022-10-27 17:22:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b1d296ddacb242a7b3463de1e9b11cc (9 x RedLineStealer)
ssdeep	49152:rKikSEdDk9dCVCCT5QprQCGykdbeHUD0eAid1vL93HD:rKPSEdDkjCgEkqykVrD0erd1vL93HD
Threatray	1'163 similar samples on MalwareBazaar
TLSH	T157B5BF3AE70614B4D76353B5C19EFE77DB14B63480269E2FFF86DA0CA4234136C8925A
TrID	42.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.6% (.EXE) Win32 Executable (generic) (4505/5/1) 5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-27 17:19:22 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5f10d4ad-8b1a-4ce2-be6e-550492a9c48a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325054/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46058/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b060ca09-1e39-4e41-bf48-2ca004f52741

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099602

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/296cd5651b7b3513ce3d8b9cde7afe49638364ae715314f699e9bf1709f858db/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2022-10-27 18:29:09 UTC

File Type:

PE (Exe)

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ffwnkzi3pm2rhtr5roon46x6jfrygzfoofjrj5uz5g7rocpyldnq._file

Verdict:

malicious

RedLineStealer

383086b2fc32ea35b9d39e7f511a256707950745fbb1029826a2ef3d8c2fceba

RedLineStealer

93cd88df35462d4d5c4e0c43571f7c96abb7052727da7396059efc98a9aba64c

RedLineStealer

9d65fdd5712d61dc216555a9ef935c9e488e3b5aea1f3e5deb62db84f6e8ff38

RedLineStealer

a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553

RedLineStealer

bc344fa8dbd94f5389ffa55482ad2a9eae87b440002fdded287e838264982fc4

RedLineStealer

d9991526284c1d9bec5cc85c9be4f83d26c358452a832ed8a53aadfe964cc464

RedLineStealer

e06350ca8bc607363fdbe88455138486915f61a3a6f06a04031ac970b63d8b7d

RedLineStealer

+ 1'153 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1310 infostealer spyware

Link:

https://tria.ge/reports/221027-vsmcsadadj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.57:48771

Unpacked files

SH256 hash:

9b26a9492ddddefa0edcf4c84697758d31ed916bbd6134e3ea6da2e5590343ff

MD5 hash:

875ac69695995d5f091e66465b3280a7

SHA1 hash:

8df4080942e1571dd1d3755a34716be288504673

Detections:

redline

Link:

https://www.unpac.me/results/6694bafc-6f67-4040-99b3-f71e4b8a10aa/

SH256 hash:

296cd5651b7b3513ce3d8b9cde7afe49638364ae715314f699e9bf1709f858db

MD5 hash:

0da733a94f661480cf9564a167622077

SHA1 hash:

ef06cdec3ff3e4b04d2cb756f0af5557e7c30320

Link:

https://www.unpac.me/results/6694bafc-6f67-4040-99b3-f71e4b8a10aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/296cd5651b7b3513ce3d8b9cde7afe49638364ae715314f699e9bf1709f858db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/325054/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample