MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5
SHA3-384 hash: fe335e2fd6bc02851c5f3cd3d0beb55e8d83b0802c5ee3162bec80a411e8ee57cec92d42abf703efea3ee1113a58c67f
SHA1 hash: 0ed5eed26b81ca8ec2dab76d72c3a2b38d162e47
MD5 hash: 51b9628db4e9e1cf9be5d2a864e0b7da
humanhash: connecticut-romeo-yankee-fruit
File name:Fortnite hack (BuzzInjector).exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'618'679 bytes
First seen:2022-07-30 13:29:46 UTC
Last seen:2022-07-30 15:14:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:u101ZS0zYPYIzrvGmyMLwdL9nQO1Yb0HsAGcWmLhWZLixDAl3RuQ55313p:u1wSKTudcWmLhWZNl37
Threatray 160 similar samples on MalwareBazaar
TLSH T112C50A135A8B0E75DDD23BB461CB633AA734ED30CA3A9B7FB608C43959532C56C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.160:8673 https://threatfox.abuse.ch/ioc/840342/

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295221/
Detection(s):
SecuriteInfo.com.W32.Trojan.HLPX-5019.14904.24678.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27807/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay redline spyeye
Link:
https://www.filescan.io/uploads/62e532d36336465f2af7f05a/reports/bc38ca40-9156-4120-9eb9-aafff5309cd1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4413574e-4be7-42e9-85c4-f7217ccdeed6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043507
Signature
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-07-30 13:30:11 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gd562z3idamalhl3cbgpmgmjmbyelkk7gigsgiye5fefd6xrnpcq._file
Verdict:
malicious
Similar samples:
048dd27ebf54abf71432114d0d2798b6191141789f1ef99196c352b14a10eb0f
RedLineStealer
27e097f778ff901a6ab3ec22ab871e5185328dd9243654087fa52926337d012f
RedLineStealer
339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297
RedLineStealer
3fd03e97e6f2458b005bdce0947812b5eba12f37580e4a961730fee4868b0fa4
RedLineStealer
56013a94edeaf931e04fc0103058f3d183f1fd9f46e4e133d6f4bb63a0826486
RedLineStealer
768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b
RedLineStealer
c008dae28d28d9b7601321ca95b5785c346681b7b202ef8d1b43e43197baf1b7
RedLineStealer
c163314e4b432b5bd2955f79a65ce05d0ff92e4cad74c6e2685424946dd87363
RedLineStealer
d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528
RedLineStealer
e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38
RedLineStealer
+ 150 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220730-qrs2qabcf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.160:8673
Unpacked files
SH256 hash:
294029e5a5243c72a21dffc7c7009526ed94ad0e051810b92c1881ee65f26b89
MD5 hash:
4cbba73c04eb7ec4d47702888f8a7145
SHA1 hash:
1e5f6dc89f1fe5f4553106c99065ac75d4e7761e
Link:
https://www.unpac.me/results/643b0b14-905b-4ac2-b557-3c18a37b2731/
SH256 hash:
30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5
MD5 hash:
51b9628db4e9e1cf9be5d2a864e0b7da
SHA1 hash:
0ed5eed26b81ca8ec2dab76d72c3a2b38d162e47
Link:
https://www.unpac.me/results/643b0b14-905b-4ac2-b557-3c18a37b2731/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30fbed676818/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295221/

Comments