MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385
SHA3-384 hash: 713688c23716a7cfa21cbe8c7ea678b2bf6e911cdf63a75e214914a2ccdad99bbdc107520e22cdcc9b3a4b73d09b4484
SHA1 hash: 3ef72a862679ca24fc3c1125f58fe115cc8f7094
MD5 hash: 92df6c69877f0f691af52e6bfaa82308
humanhash: cardinal-king-eighteen-victor
File name:Gold Island Launcher 0.7.5(Beta).exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'387'776 bytes
First seen:2023-01-16 15:23:57 UTC
Last seen:2023-01-16 16:35:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a5eb0f81fa12ecd499c701ada492a1a8 (2 x RedLineStealer)
ssdeep 98304:S3D5kKIMKJaFCFT1BPlmoM9x3KP2v9jbhJEoAcOmj+sIvSxC:0FEFT79pkFjsk5KsI
Threatray 5'852 similar samples on MalwareBazaar
TLSH T178462333A75628C5D5C4CC764B37FEA0B1FA431E9F86AC3499D66CC22D168E4E213A47
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0b2296d29b3d270 (1 x RedLineStealer)
Reporter iamdeadlyz
Tags:79-137-199-206 exe FakeGoldFeverGame GoldIslandGame RedLineStealer


Avatar
Iamdeadlyz
From goldislandgame.com (impersonation of goldfever.io)
De-pump of b6da97368c158c377e87495c9cdeb149f4258d2e18f88edc408b6ca19305c41d
RedLineStealer C&C: 79.137.199.206:45354

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Gold Island Launcher 0.7.5(Beta).exe
Verdict:
Malicious activity
Analysis date:
2023-01-16 15:26:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/eae96e08-534c-4f91-802f-8b99b3476f2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353450/
Detection(s):
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.15832.10337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60694/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63c56c1386e9647bb4c9ac52/reports/b9295d57-742a-4961-a2e6-cacc0630c2df/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d8d5d38-3454-4349-b34e-851b5451043e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152459
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-01-16 15:24:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcjcgfqmxzrgpfchyl63p4j74525tqq2nvugyijbavy2rrsqaocq._file
Verdict:
malicious
Similar samples:
3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7
RedLineStealer
6b6baec6f1e73d38262ea3ac6a91acb44bb64d30bd948c89f9b8d97979fbff61
RedLineStealer
90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e
RedLineStealer
d38094e9d3a8f4995cb29474aafda7a4ab5c9ae3a5b9742ca48abc4eb830697e
RedLineStealer
f0c4d646faeb763310b365bb3f429adbdfcf2d58074618cf9d52fab1457d64fb
RedLineStealer
ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f
RedLineStealer
+ 5'842 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:10.01 infostealer spyware
Link:
https://tria.ge/reports/230116-ss2flahb55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
79.137.199.206:45354
Unpacked files
SH256 hash:
81a012101fc05b8fdbaa39ca62f411cf3458dbdbeeb71c49f13a7d06aec06870
MD5 hash:
cf889a1d91f0064a0939c94eccde01b8
SHA1 hash:
f06171f239b24987c634361317446b48f18556c2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/90815005-cb3d-40ee-a28b-dd3bd6df6023/
SH256 hash:
10a65eb103fdb33bcc53f32f6a3994c77a34858930d2c41cb7ebe26f6ca1e053
MD5 hash:
e89acb12654da9d52e91048bfa14f41f
SHA1 hash:
07c304b7a2f58a86a9091ace01678a5ef38bcc9e
Link:
https://www.unpac.me/results/90815005-cb3d-40ee-a28b-dd3bd6df6023/
SH256 hash:
309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385
MD5 hash:
92df6c69877f0f691af52e6bfaa82308
SHA1 hash:
3ef72a862679ca24fc3c1125f58fe115cc8f7094
Link:
https://www.unpac.me/results/90815005-cb3d-40ee-a28b-dd3bd6df6023/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/309223160cbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip 60ede2cf5aaef4293a5e9d571215438a1c4d7de345efb42976ede6b819474752

RedLineStealer

Executable exe 309223160cbe62679447c2fdb7f13fe775d9c21a6d686c21210571a8c6500385

(this sample)

  
Dropped by
SHA256 60ede2cf5aaef4293a5e9d571215438a1c4d7de345efb42976ede6b819474752
  
Dropped by
SHA256 0912309eb53cff85cf0ab2cfcb9a159a1df2c0059c78189caf596e68b5d641ed
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/353450/
  
Dropped by
MD5 a63e066f2bfffd0651f40a77283f8b42
  
Dropped by
MD5 17e437651be90c8afa887fb7215097df

Comments