MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2
SHA3-384 hash:	1ad760d26fd642901fe8f8ec8d1e6d2de792ea216826f8ecdb8229223fc171eab47753ab2b2bf6cfe332258a70704425
SHA1 hash:	ca78e08c38fcceea1b8a282715dd1eb4493648a9
MD5 hash:	0d39cc16fcf1fa439a5c8fb719d8270e
humanhash:	maryland-pasta-july-sixteen
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	465'920 bytes
First seen:	2022-09-01 09:25:04 UTC
Last seen:	2022-09-02 06:28:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e3b8a27053e73ab9de508e2b8d74566b (6 x RedLineStealer)
ssdeep	6144:zk+WC1ebskSQqYDOtlhxvkMB3T6krRSN7fwj4Ddrt1qlBw5n2UTRcUr7CAO9TecW:rt1eSzOOtBkUrRSN7rmlBwAl4O7icW
TLSH	T128A49D01B672C0B2D5778D329C6D931A653A65140B2349EBBFE429B42FB43D21AF0F67
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc743379129_647494938?hash=k1chvemuFsZyzYrYZIz1AQzrvb8kLtCrNpuUzZgA9no&dl=G42DGMZXHEYTEOI:1662023044:UoCcIZl8Tj3h9VxEXucm5x5H5uhXiqGqqat78YdSPTX&api=1&no_preview=1#dvift1eu

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-01 09:37:38 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/b56a1dec-0e16-4933-a724-54c58aa2830d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307153/

Detection(s):

SecuriteInfo.com.Variant.Lazy.239573.29707.3004.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36287/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63107aaea7450371f6961ed3/reports/3c9b2bf9-3edb-44f3-a282-b3653fd7a111/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2157d6cf-61ff-4f94-9726-e12baf3eb009

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1062613

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-09-01 09:26:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kjsrxuyjd43vwqntrlxp7vc5jx4p4cyxmp5wpcdvnndt434wwxra._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2007329039 infostealer spyware

Link:

https://tria.ge/reports/220901-ldnsmabean/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

185.106.92.20:33168

Unpacked files

SH256 hash:

8492c4d6f0f29ea3a34a3bfc39105a592a11c6aa87ef6983929826477a9adac9

MD5 hash:

c6b5986e099d127e049538ad79385994

SHA1 hash:

941c727c6970ad564601897d3fc9442b464aa619

Detections:

redline

Link:

https://www.unpac.me/results/65059c75-33de-4616-ac24-89e40d4f73c4/

SH256 hash:

52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2

MD5 hash:

0d39cc16fcf1fa439a5c8fb719d8270e

SHA1 hash:

ca78e08c38fcceea1b8a282715dd1eb4493648a9

Link:

https://www.unpac.me/results/65059c75-33de-4616-ac24-89e40d4f73c4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/52651bd3091f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/307153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample