MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 527164630561cc34d6f25f99516a6dba7399beb40cc0838a486444dd640dc78f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	527164630561cc34d6f25f99516a6dba7399beb40cc0838a486444dd640dc78f
SHA3-384 hash:	42b1213a2808fdc7cc5cb4da4a76bfc899fda14811e26414fc63bc7601359f564552067407b08a8a6f58e6582d113c75
SHA1 hash:	dae72a97491701e7ffe04525b294c763bcecdddd
MD5 hash:	c3e3eb6be19675917ca97f01ee417ae8
humanhash:	red-autumn-charlie-mountain
File name:	c3e3eb6be19675917ca97f01ee417ae8.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'461'930 bytes
First seen:	2022-07-11 14:15:07 UTC
Last seen:	2022-07-11 14:43:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fddbf4f40192bc43bc922f721e72df6c (5 x RedLineStealer, 1 x Formbook)
ssdeep	24576:rBTCYwYGfNo4fMdFyl+RWfCF2rAW05IbKGtTgNwwwULQOZEl3RuQ55313u:rBkRc2cW0amGt8NwwwUkaEl3U
TLSH	T1B7B5F903AACB0D75DDD23BB4618B633EA734FD30CA2B9B7FA609C53559532C4681A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
101.99.93.104:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
101.99.93.104:80	https://threatfox.abuse.ch/ioc/824180/

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

c3e3eb6be19675917ca97f01ee417ae8.exe

Verdict:

Malicious activity

Analysis date:

2022-07-11 14:20:51 UTC

Tags:

redline trojan rat

Link:

https://app.any.run/tasks/383d68fb-198c-4058-b2de-8162665debcb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286292/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32450.22104.8027.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug overlay packed spyeye

Link:

https://www.filescan.io/uploads/62cc30e281790e51fe57bdb4/reports/8e3589a9-ecdb-497f-9052-75222dd10f75/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Certishell

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1127b0d4-152d-4f3a-a6bc-a10842e644c2

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1028641

Signature

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/527164630561cc34d6f25f99516a6dba7399beb40cc0838a486444dd640dc78f/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2022-07-03 22:16:51 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kjywiyyfmhgdjvxsl6mvc2tnxjzztpvubtaihcsimrcn2zany6hq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@k4nion infostealer

Link:

https://tria.ge/reports/220711-rk4qbacbh9/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

RedLine

RedLine payload

Malware Config

C2 Extraction:

101.99.93.104:80

Unpacked files

SH256 hash:

605e9db48e1224ce3451e59f501f5e14fd750a3b5654ea70d7f9d04775991128

MD5 hash:

76fab2c64afb0b4fa70f6dd5aaed7ed0

SHA1 hash:

8484e87d4933219fe944d7c07677a192f1e93c89

Link:

https://www.unpac.me/results/21cd7ce3-fc73-4f9e-8a4f-9725e30b8ab4/

SH256 hash:

527164630561cc34d6f25f99516a6dba7399beb40cc0838a486444dd640dc78f

MD5 hash:

c3e3eb6be19675917ca97f01ee417ae8

SHA1 hash:

dae72a97491701e7ffe04525b294c763bcecdddd

Link:

https://www.unpac.me/results/21cd7ce3-fc73-4f9e-8a4f-9725e30b8ab4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/527164630561/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/527164630561cc34d6f25f99516a6dba7399beb40cc0838a486444dd640dc78f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286292/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample