MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901
SHA3-384 hash: 3b7295b86cbc25cf6c267b6e03c077933f137fe79575976992d321d408c56a362d38df93b1852d363ec3e5d6479cb52e
SHA1 hash: ced7fa41651d4927ea07d668eb5d7930c2b3efbf
MD5 hash: 00add32c7d7d084a1cdae37ddd18c13c
humanhash: lemon-green-failed-cold
File name:00add32c7d7d084a1cdae37ddd18c13c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:313'856 bytes
First seen:2021-11-12 22:50:40 UTC
Last seen:2021-11-13 01:18:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 620327c357b4e134c44aeeb41890b58a (3 x RedLineStealer, 2 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 6144:oqB7edlBsk3OHteXapxRddOEMpl/qG+K344F/gzPWeTwVf:fmlBskIz5WSyo4FITx
Threatray 4'007 similar samples on MalwareBazaar
TLSH T19764E13077E3C836E593A930546186B21B3BB97228B4874B7754176E2EF37C38A76352
File icon (PE):PE icon
dhash icon fcfcd4f4d4dcd8c0 (34 x RaccoonStealer, 21 x RedLineStealer, 8 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205383/
Detection(s):
SecuriteInfo.com.Lockbit-FSWW00ADD32C7D7D.24019.31093.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618eefd93edf00a722d1002b/reports/598fd722-f59c-401b-8b57-e163fe489cfb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e52bed65-9884-4788-9301-553f76e1ebe0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/888436
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 22:51:05 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kehoqort2tnmofuud4cohpcb2fdeazrddf6ix3cvxz66zclcxeaq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
537b0c489b9e35fc06423d79171392e07d1147f9992d9219bd6ba597f438d6c0
RedLineStealer
6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9
RedLineStealer
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c
RedLineStealer
+ 3'997 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1211 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211112-2ss9naeda2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.211.251.208:44660
Unpacked files
SH256 hash:
ebeddfe1d648c7991ee39adaef3a605ae349deaebdff04557f2b8a1f55ad2ab3
MD5 hash:
b740e772048fa3a6b1ec3f41bbd9d911
SHA1 hash:
88ad5a3ed43f6b8ef95ced0987fb71970be1f6e4
Link:
https://www.unpac.me/results/b83eb531-5a89-4603-b7d0-a0e26e002cc0/
SH256 hash:
afa4513c9477f9766c68cb440b5a2d9fd6e2edaa225e26f93c5e87a906093d76
MD5 hash:
930867dc69e1e33c5b2ee13732a724ca
SHA1 hash:
5cae8372f19bcd77cd79ec622d7fd33044059587
Link:
https://www.unpac.me/results/b83eb531-5a89-4603-b7d0-a0e26e002cc0/
SH256 hash:
e95b213499f3c285a01396d57b3643b96cb19010e573a28522db247034f6cf49
MD5 hash:
0e71dc7ee9fefc5ddcf3ef615a895339
SHA1 hash:
36a0e405d7937090612a0c82931a8f602dbb5a3e
Link:
https://www.unpac.me/results/b83eb531-5a89-4603-b7d0-a0e26e002cc0/
SH256 hash:
510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901
MD5 hash:
00add32c7d7d084a1cdae37ddd18c13c
SHA1 hash:
ced7fa41651d4927ea07d668eb5d7930c2b3efbf
Link:
https://www.unpac.me/results/b83eb531-5a89-4603-b7d0-a0e26e002cc0/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/510ee83a33d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1781415/
Cape
Cape
https://www.capesandbox.com/analysis/205383/

Comments


Avatar
zbet commented on 2021-11-12 22:50:41 UTC

url : hxxp://154.16.148.41/myblog/posts/sefile.exe