MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc
SHA3-384 hash: e7d324d59a128bd692e2b01f536a0c35156dfed4d1671c4ad93d68ce76db30c2f4389ae6665148da05b96dedc29cd38e
SHA1 hash: 74e4378d17d36bbaffabb024e50e57be735d8b32
MD5 hash: 4f6f1e21166488e9c7e1b395051bbd9d
humanhash: island-north-helium-burger
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:214'016 bytes
First seen:2022-11-26 18:05:18 UTC
Last seen:2022-11-26 19:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 750fa6f6324523d999e9ee554ca92aca (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 3072:Pz0Rj65siQRWyvWY0tKtC+m/7izn19CagF/aBQf9bSlx8uqCUM0MbtWuu9xGEFV:Pzw6CiQIY04Ev/7iYVJ9bevUM0EfEd
Threatray 1'667 similar samples on MalwareBazaar
TLSH T18324CF13B7F06574C895C4BCA4F692E2DBBD1A1633C85089332D3056663FDFADA6822D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-26 18:08:30 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/770859fa-d0e0-4f31-994f-b91b2a6ecd3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338834/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.17048.6979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6382558d00c584752ee201be/reports/0f5530a4-9108-4c1a-a62c-43976a5d8a07/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41de7655-04ef-4f1f-a789-0e10260d8138
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121664
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 16:54:33 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kofzpaq4w5kfkfbjnxwnz7shi4l45flerrbgbwsjpp6sgovjt76a._file
Verdict:
malicious
Similar samples:
3e3fa8c5f5cc4ff95f439d86a4be759fbbc124e6655210d887459137d1c989db
RedLineStealer
3f37bdfc487c25b9a7b7ade0574a221cbc4c6976f8d5b46a2bcf08f6c0c5ed96
RedLineStealer
9158b433505974c8a6db1f168c19604f60e46ed79f6981d8dbd42d49c1078a98
RedLineStealer
9a11305a7524bab8a9c9beba2ee51f9f3f43d3492d62404d16db4dad089c2a4c
RedLineStealer
c4a4d4a5ac19fdbeb6006a9cada8cf5874f3d54007c298ac0194d093cb27a8df
RedLineStealer
+ 1'657 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:newlogs infostealer spyware
Link:
https://tria.ge/reports/221126-wpqrgadc65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.133.70:38819
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4cefe735-765b-4243-aebb-bdeef1bdeb42
Unpacked files
SH256 hash:
a8807704f390ef9c668900b101bf6fa29894e7a365d2efedd45874911dd4b60e
MD5 hash:
d035d23f09e180b0f13278178e72ea38
SHA1 hash:
2b48fdf663eff239fecce11e0a5f5cb53764c2d1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a96c8537-b303-4d8e-8bbb-dbfc457ad186/
SH256 hash:
538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc
MD5 hash:
4f6f1e21166488e9c7e1b395051bbd9d
SHA1 hash:
74e4378d17d36bbaffabb024e50e57be735d8b32
Link:
https://www.unpac.me/results/a96c8537-b303-4d8e-8bbb-dbfc457ad186/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/538b97821cb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338834/
  
URLhaus
https://urlhaus.abuse.ch/url/2434514/

Comments