MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee
SHA3-384 hash: 67a5a7257761d1b6356857afef1442822e5429468761ba3b65a791d4b646165fd87af0ff7f68f7c539d9136a5df74e5b
SHA1 hash: ec66039ee20b8fff9226ca7f254f5ff7d16d4edc
MD5 hash: 163fc40af22b68230176b3959f02d4e0
humanhash: sierra-purple-mirror-ink
File name:163fc40af22b68230176b3959f02d4e0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:323'072 bytes
First seen:2021-09-18 16:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f046730f187f46a60a21ce3e4d696896 (1 x RedLineStealer, 1 x CryptBot)
ssdeep 6144:SUZQHo5qXsp+MwfCYX8onbqT+j1DSpXNDWSTqR1+TZY1Bz//JZg:JZOsp+MwfEoniMEpXZr9OtZg
Threatray 2'080 similar samples on MalwareBazaar
TLSH T18764CF20BAA0C034F0B712F949BA9378B93D7AB15B2451CB62E616FE52347E8DD30757
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
163fc40af22b68230176b3959f02d4e0.exe
Verdict:
Malicious activity
Analysis date:
2021-09-18 16:47:52 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/da1a1b2b-5547-406f-8b5f-77514640f405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188950/
Detection(s):
SecuriteInfo.com.Ransom.Stop.Z5.17917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt to an infection source
Sending a TCP request to an infection source
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68ce7a00-0b8d-4671-bd05-194f20eee028
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853260
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee/
Threat name:
Win32.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 16:45:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ka3lljikl67fqhye3xryegdyop45vxyyb5cfe4nif6nojkhmg3xa._file
Verdict:
malicious
Similar samples:
1f6add70d2d51f1499f011a7481606212f87f2b37de9e0bc780b4c561aff4101
RedLineStealer
3e671134f9d2765d96900933bb851853250e1c26b75ee92a18200690a5c7bb3e
RedLineStealer
4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01
RedLineStealer
79bbe7c7ef84ba66a2fe3065e9dd6b94506aba431dcd55e6d3b7b6bfc2bfebd7
RedLineStealer
9bd6141806d6a89ddd15d98517c7b79de204ab317c157eada64fefbef1a239cc
RedLineStealer
9c46b0c1c7a38127b1b163163646703a91267c09537c38762ffa9586aa4a4d0a
RedLineStealer
e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0
RedLineStealer
f8f5ee131a58780ff2f013e6d323660a2d02a8b57316db7942d7d94652f3d27b
RedLineStealer
+ 2'070 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210918-t9dxashfb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
188.124.36.242:25802
Unpacked files
SH256 hash:
e9905446c858326e8f0fe12f6df777542180608381f1ccae4bda9a8356b04abc
MD5 hash:
74200bd872e0b3d75b1d85332c3be083
SHA1 hash:
78a644acda865dbf7db531e02f25a452337c789c
Link:
https://www.unpac.me/results/44b288a6-7f85-4d9c-a147-d4a1bd0dbf91/
SH256 hash:
3acbb58ac3b5a60432bddf39ae7fde7eb83d8f294b920ee6c650dfd627603875
MD5 hash:
a217837fb37dec1ca8dba528b8c71c6a
SHA1 hash:
3e890e7a33a94919212100e6267aee771792d58d
Link:
https://www.unpac.me/results/44b288a6-7f85-4d9c-a147-d4a1bd0dbf91/
SH256 hash:
0e2b2a949f5b38e59b8b0fed9bc16e95e6253e6badef7dddefabf3488d757eec
MD5 hash:
ea7b364183ffab0676748bb491509d76
SHA1 hash:
24dbe7482d4ed0c5607f35722452908e8a965bbc
Link:
https://www.unpac.me/results/44b288a6-7f85-4d9c-a147-d4a1bd0dbf91/
SH256 hash:
5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee
MD5 hash:
163fc40af22b68230176b3959f02d4e0
SHA1 hash:
ec66039ee20b8fff9226ca7f254f5ff7d16d4edc
Link:
https://www.unpac.me/results/44b288a6-7f85-4d9c-a147-d4a1bd0dbf91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5036b5a50a5fbe581f04dde382187873f9dadf180f445271a82f9ae4a8ec36ee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1616291/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188950/

Comments