MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
SHA3-384 hash:	81828dc293ced2811f4adbed513563364d3b7b02ceabd8ecd268eb659851f904ea1dc848416ef69479d63fd0c350716d
SHA1 hash:	81202aac19f8d5f6f46bd3ecac02bf37b35a3f89
MD5 hash:	a92948f849eeb1f847a28fb8ce56bc1e
humanhash:	sad-hydrogen-ohio-fourteen
File name:	a92948f849eeb1f847a28fb8ce56bc1e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	493'056 bytes
First seen:	2023-02-11 09:41:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4319aad8f4d315da40f6f14bc8933fbe (7 x Smoke Loader, 6 x RedLineStealer, 2 x Tofsee)
ssdeep	6144:TolRe+JfNG6MfphhaueXyLU5yQkYYmeaSltMdkTqZt5:To96/B6biLkkYpMtMdk
Threatray	14'850 similar samples on MalwareBazaar
TLSH	T1D7A43A43A2D27D50EB268A729E1EC6F8761DB5F08F0D77AB1218AA1F24712F2C573750
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	8484d490c0848480 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.20.12:4132

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-11 09:16:17 UTC

Tags:

trojan rat redline amadey loader

Link:

https://app.any.run/tasks/57c8ee68-97bb-4be1-a91a-eed289855345

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/363907/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

glupteba greyware lockbit packed

Link:

https://www.filescan.io/uploads/63e762ecae0d2eea07d4cca3/reports/e112943d-7f54-4587-ba88-5d46cf653ed9/overview

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6890c94a-7be6-4466-88b3-ee416a35f006

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1171940

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-02-11 08:59:45 UTC

File Type:

PE (Exe)

Extracted files:

100

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdoftfl34xs6lltdytihcilutxbtadu26gniiksm2e6vcm55nnmq._file

Verdict:

malicious

RedLineStealer

3c6ee18e05f8ff187011dcac773e31c0bf128a2d4c8d3a17eeb8895fdb70b8d3

RedLineStealer

4b9c642204fc73a028838b29c302432c6cc910477db3f2dc08b8e4cb6bf71d71

RedLineStealer

5fe5023bd278c560ac70b19c03fd8edd86a9840181b171b6b0ac2adee386531f

RedLineStealer

6e22d94efa87e5166e89cb33d13758e32524e20820632f06ba8676389e5a0018

RedLineStealer

9099472b2e3457716b9902a0c3ea707941abfea41b7efdb0ddcd77785fb5ee9b

RedLineStealer

b586a85b1fc9d0b8370c88bca896d68b72797ee31e77f0afd080314dd6ca259e

RedLineStealer

c2284106dfb6f0631bef76af14842b4ba33b521a76416c07b0050a50df2a2f13

RedLineStealer

db5b23ccde538d4c45334e1b96ba2ed8c3d3734f63be9064c148402b2800ef46

RedLineStealer

f139fc5e2328804cc09d38a4c8403ea30d42be74046c35dc01ff7e937bd32ad8

RedLineStealer

+ 14'840 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:romik discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230211-lpcjqsee43/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.20.12:4132

Unpacked files

SH256 hash:

6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38

MD5 hash:

5a5d7c502c8de78f62818cd74dc3fad9

SHA1 hash:

f6a32259e84173fa3e674287fed9f7682d91ed00

Detections:

redline

Link:

https://www.unpac.me/results/fde6be4b-da13-46f6-b698-87d4c1b5aa30/

Parent samples :

2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b

SH256 hash:

75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b

MD5 hash:

285e4cae921c512fec71492eaafc27c4

SHA1 hash:

7a1022b0ec66c57a216bd0f842906917e7851130

Link:

https://www.unpac.me/results/fde6be4b-da13-46f6-b698-87d4c1b5aa30/

SH256 hash:

1b58cc46582d2af490ccd73e499c060493e03745d063c364e056b37bd27e923a

MD5 hash:

f99f30bc6d50869fd3efb586d707941c

SHA1 hash:

779d52ff7e1606bc249318253906cd380bc02148

Detections:

redline

Link:

https://www.unpac.me/results/fde6be4b-da13-46f6-b698-87d4c1b5aa30/

Parent samples :

SH256 hash:

30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59

MD5 hash:

a92948f849eeb1f847a28fb8ce56bc1e

SHA1 hash:

81202aac19f8d5f6f46bd3ecac02bf37b35a3f89

Link:

https://www.unpac.me/results/fde6be4b-da13-46f6-b698-87d4c1b5aa30/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/30dc59957be5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2532610/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/363907/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample