MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567
SHA3-384 hash: 5d1a2f8657de5826cbcdbdbc624600c77b985fb9ec43bc3e375591a4aa79fd68196cd86a5a6cf021d0edec4c390ff93c
SHA1 hash: dfa7b0b4d24a93e4463921dbc7886e84dfd60495
MD5 hash: 8fa76cd75fe02c1093f254977f44ee79
humanhash: edward-low-hotel-mars
File name:8fa76cd75fe02c1093f254977f44ee79
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:403'688 bytes
First seen:2021-08-16 00:31:27 UTC
Last seen:2021-08-16 01:40:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b535572a0356e55475d8da75f1f57f3e (1 x RedLineStealer)
ssdeep 6144:LNrji59qUe4LHW60V4Ayscy2sF3Y/VAOYc219/BtJTjjn1LFois8ICCKzche/9Wn:L1U9qUe4LZ0N8VwJn1LFoipIMz/QGbi9
Threatray 1'202 similar samples on MalwareBazaar
TLSH T171849D047AE15432E5F2053099FC9A758A39B8301B319AFF63D4863D9F316C19E39F6A
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Your+File+Is+Ready+To+Download.rar
Verdict:
Malicious activity
Analysis date:
2021-08-15 18:04:54 UTC
Tags:
evasion loader trojan stealer raccoon rat redline
Link:
https://app.any.run/tasks/001bb42d-ff4d-4d7c-b5f2-4f647d295a30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179400/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.20429.31855.25304.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a96fd541-3f5d-400f-aaf7-eef7f42f133e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833264
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 18:53:24 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktpou56gn4y3lmvocaozilo4blgqjikg6hnn7bpyaa2od5xn2vtq._file
Verdict:
malicious
Similar samples:
0f1962c4d1f9a9fe7b7d5d22f79ab02c7aa9f990a305860082134d47e3cd2a09
RedLineStealer
32cf0e4532d6617a76a22f45edfe5d10ecbaf10040cedffdb2cea5126b6ff053
RedLineStealer
4ac6e78bf14a825b213dffb029102a9c57bfd7d6f203bbd3259286ce49ed8add
RedLineStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RedLineStealer
80752bd3e74c165e9c88fee2b806b67641f6cdae222d4ef9f5bc433f8501e767
RedLineStealer
9af2474823d8274925ccbc39726f4766c675c3e996dedfbbb6a4b07d86af6fe7
RedLineStealer
9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f
RedLineStealer
a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967
RedLineStealer
b25de8622f43e2beb203e0e394906bd6832f95277f53c4dbd59d4afbcef7b361
RedLineStealer
d269615dd97e39c3625988646ad11311cde5a6e4074a43181bd68229646ac0f1
RedLineStealer
+ 1'192 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@soul3ss infostealer spyware
Link:
https://tria.ge/reports/210816-qpyz9zpxk6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
188.130.139.12:23747
Unpacked files
SH256 hash:
cde21b9c13f3b13f28c7f505d49a318a355aa563916f7eb95d653301227f892b
MD5 hash:
519ec47b32c21c552725b6290cef4e12
SHA1 hash:
9559fdd06f5019d6f023c2d23b1de0ab7d7b5686
Link:
https://www.unpac.me/results/2727de92-067b-414d-ae1a-9b26126271b9/
SH256 hash:
54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567
MD5 hash:
8fa76cd75fe02c1093f254977f44ee79
SHA1 hash:
dfa7b0b4d24a93e4463921dbc7886e84dfd60495
Link:
https://www.unpac.me/results/2727de92-067b-414d-ae1a-9b26126271b9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54deea77c66f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179400/

Comments


Avatar
zbet commented on 2021-08-16 00:31:28 UTC

url : hxxp://37.0.11.8/WW/file6.exe