MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49bed0ee5b85a13a4ad344c656af32fb3f5e2893f049e37d65268e40fcb9fe2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49bed0ee5b85a13a4ad344c656af32fb3f5e2893f049e37d65268e40fcb9fe2b
SHA3-384 hash: b3b3651a46622f3982f8c547a3380a3d7422c6d56e9a7859e00bd115db1ed2bf0a8a48eaa0646e46d699bede728e493d
SHA1 hash: 4018b58a61bda0eaf621296044d84785e4c4f209
MD5 hash: 088586db4259ea29f6ea7cca7e90cf41
humanhash: mirror-comet-yellow-butter
File name:088586db4259ea29f6ea7cca7e90cf41.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:322'560 bytes
First seen:2022-11-23 01:55:31 UTC
Last seen:2022-11-23 03:30:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 208d42a9b248c38bd314a7688d20d4a3 (11 x Smoke Loader, 4 x Amadey, 2 x RedLineStealer)
ssdeep 6144:jzi4f3hOMkkEm6fjVjZaCugKOhcCv1rTtB3F2NYXTDw/oAr9ExCeU9:jzi8hOMNE1fpmgbhvv11BW/o88TU
Threatray 12'038 similar samples on MalwareBazaar
TLSH T14564F12039F2D432C69756304A24D2907BBFB5322ABAD6477B58466E4F302C1EF76367
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 30323261e8c88c94 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.31:47242

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
088586db4259ea29f6ea7cca7e90cf41.exe
Verdict:
Malicious activity
Analysis date:
2022-11-23 01:56:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/134f3bc0-95b0-4884-93b4-ff3e0c8c56dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337395/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.32602.29528.12468.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Connecting to a non-recommended domain
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit mokes packed redline
Link:
https://www.filescan.io/uploads/637d7db3559d07a06f46ec3e/reports/f56ce6ad-bce6-4660-b8e8-10cedfed9223/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8ed50b5-4dcb-4786-b8bc-7d6a7c2f86b3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119358
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49bed0ee5b85a13a4ad344c656af32fb3f5e2893f049e37d65268e40fcb9fe2b/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-19 06:50:32 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jg7nb3s3qwqtuswtitdfnlzs7m7v4ket6be6g7lfe2heb7fz7yvq._file
Verdict:
malicious
Similar samples:
1e1c1160f517a2e9186861a2e2bb104fa33711c7d7f40f04cda721f50d62df5f
RedLineStealer
474b857a9ae1d311198c37c13617c00b1d111f3f2a1a462aaef75dda5a9e37d1
RedLineStealer
5c51b93c1c6c3417222b12f14d7182d2f6892da208bd363ceb8487d23c7d8361
RedLineStealer
9de65be7854aa8dd5431e5633ce0a8844fe9e688f2a79bac6ffff076757adca2
RedLineStealer
f18f8472bcfe47304e02dac3121d113af06d6eba8d94a0911d192807da34f294
RedLineStealer
+ 12'028 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1700 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221123-ccph4abe7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.31:47242
Unpacked files
SH256 hash:
978d444ba8d3b999205561d0a88489c2c25627ac83239a966e061c8839d73a3c
MD5 hash:
fc5c13549a28f2cf04b755d5713ecb20
SHA1 hash:
3bdf774e9b100470df1a0f379a8ef18eb4ac581b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/56559c22-c75a-4b11-a8ec-2ea98719e1ca/
SH256 hash:
b65aef56e542731d389f3badb781e1138687fcf6e0c7a348d94b9457925b96c2
MD5 hash:
0d87d3d8f36b411ad5a5a19ee4460d6e
SHA1 hash:
1b32ec042dffd2206cf7d285dea2328120731763
Link:
https://www.unpac.me/results/56559c22-c75a-4b11-a8ec-2ea98719e1ca/
SH256 hash:
a183356e7612830249bb28c5fa73fa2ad9fe6c896182ea282194f7ad2dedab55
MD5 hash:
46b04f5ac12f766fe5bfa18511bf475d
SHA1 hash:
15b91c60389c3fec434593273971758c97f2c2bb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/56559c22-c75a-4b11-a8ec-2ea98719e1ca/
SH256 hash:
49bed0ee5b85a13a4ad344c656af32fb3f5e2893f049e37d65268e40fcb9fe2b
MD5 hash:
088586db4259ea29f6ea7cca7e90cf41
SHA1 hash:
4018b58a61bda0eaf621296044d84785e4c4f209
Link:
https://www.unpac.me/results/56559c22-c75a-4b11-a8ec-2ea98719e1ca/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49bed0ee5b85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49bed0ee5b85a13a4ad344c656af32fb3f5e2893f049e37d65268e40fcb9fe2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337395/

Comments