MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a
SHA3-384 hash: 2d57a2f47c52afef5790d012927b5b246978d79bb0a92bb3faa7b7501a2b603d2998cc4c600b38b5c0723055acb172bf
SHA1 hash: 6914260c0de115698aa026ba3a3b5ea3feef716d
MD5 hash: e4d608d271b7559184472173a28d31e4
humanhash: papa-juliet-emma-saturn
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'528 bytes
First seen:2022-10-22 20:46:06 UTC
Last seen:2022-10-22 21:09:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 948229edbcf907989aa1bdb70732da32 (15 x RedLineStealer, 7 x Smoke Loader, 4 x Tofsee)
ssdeep 6144:w9zLWjPOEW/MzuLiukPaPX5LXKrLuwKx/GfOh9oyM:w9zKjG//70PmZXuXKD8
Threatray 7'734 similar samples on MalwareBazaar
TLSH T1C57402027982C871C4C259348421F7A66ABFE8321E657C4B7B943B2E6F713D356B2397
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f590a14 (4 x Smoke Loader, 3 x RedLineStealer, 1 x TeamBot)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://77.73.134.15/vr/Galaxy.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-22 20:48:51 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7372ad4c-4065-47e3-8fe8-0a2a4d7f853e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322763/
Detection(s):
Win.Dropper.Tofsee-9975524-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/635456c6898b0652a4b96332/reports/36128371-3611-4af3-8f1a-2bb4581e07ea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5135f061-c50a-4384-9594-3c332ba94ab8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095630
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 00:27:54 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktqk3fo3gxaasoentkq45bhdjnfzdfkwp5yxuu53zzno7ga77v5a._file
Verdict:
malicious
Similar samples:
3c38aec6257faad6df1653c1966ca2be1e8dff9dcd50c74dc81bd90d0b9abcb6
RedLineStealer
429379b0de1b940cbeeead3d39c4775e70a2fd8d87beeb00522b59889a778c3e
RedLineStealer
509649bca8d4810b48067b040f654d1a22aa6913dedb7491ea316f81c658a823
RedLineStealer
96477c056dcbc3e63b38d34e7ffd6ffb6ba6ca769e4adf3d3db9d0bfd2913d77
RedLineStealer
b449a97a886649b0091f04f46b32663086c37bf1d1be983b943938438b55bf28
RedLineStealer
bd5c62f60d4040b55d6ff037b7265648c67723c02c1961f321103b1aefac7579
RedLineStealer
d5cbab8e13cae92e74f05be0bf25f70f4738cbf8a20d21ca23d2c13cc7be4d69
RedLineStealer
dd4250890403d4ec88be22d7b61eb8c2065c9bd2f0ca4e29c115d3cf17eaab7a
RedLineStealer
fa05f5d0100931b4c04e39b54ebdaf8d402b21de685e7790cb460cfe41b6d10f
RedLineStealer
+ 7'724 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:newe discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221022-zkvfmsefd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
89.208.106.66:4691
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f10d44a8-3bba-4260-acb3-60bbe748e720
Unpacked files
SH256 hash:
122729c7bcef517eb9f8d3c49ef9def238b6807416bbd7ea18066b376e978c71
MD5 hash:
fa6e92c4251caf25e3940f3f8a2a27d5
SHA1 hash:
e6a536312cfcd76e3c1c44ced1e727e01c2e7872
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ab2f4e41-77b4-4673-821b-c3b6b57268c9/
Parent samples :
b277a237e0a76b5252ec64e162b3744fb7df26e6e63566eaaeced9a62474b7d8
bd5c62f60d4040b55d6ff037b7265648c67723c02c1961f321103b1aefac7579
fa05f5d0100931b4c04e39b54ebdaf8d402b21de685e7790cb460cfe41b6d10f
d5cbab8e13cae92e74f05be0bf25f70f4738cbf8a20d21ca23d2c13cc7be4d69
3c38aec6257faad6df1653c1966ca2be1e8dff9dcd50c74dc81bd90d0b9abcb6
dd4250890403d4ec88be22d7b61eb8c2065c9bd2f0ca4e29c115d3cf17eaab7a
509649bca8d4810b48067b040f654d1a22aa6913dedb7491ea316f81c658a823
96477c056dcbc3e63b38d34e7ffd6ffb6ba6ca769e4adf3d3db9d0bfd2913d77
b449a97a886649b0091f04f46b32663086c37bf1d1be983b943938438b55bf28
429379b0de1b940cbeeead3d39c4775e70a2fd8d87beeb00522b59889a778c3e
54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a
5c980ee11dcc75cf0167b9c7428f998d53ad1ed779e94677d6be48c78ae2340a
b95c5ef46ce1ca5fb73051dc52db7049ed5429c6487f2d12a112cc7c264145b4
fd1ae6658f60f6d1651356790e0225c63ddc16a7d211c1a8ac0618d5fedb1f5f
7fbaf7e8ca9908cc2c489f152cb33c8ecec1d90304059d0680f5e71485dfe605
ca882dd3332670136ab684d75a23849601599b60f1d1b64c8a71468771dd3487
f06c94090fd5acb21d95d1f576e40991aa6abc8d1ea2f085ab0c08cfde5050eb
cb246df44eb7467ec26e0e5c67ba212775378977f5aef1d1c06f701221f6933f
032d1631bbfb4da9fc0a38e71fb7a84b166ed2344b3e116fbc7ffcc443e6b185
025b335f1ba0c219d4ceff2d1cd392af1eebe6c7ee00c0a27f5ee7486d1b7dcc
a8b76c01021e2661035a369e487fe9710fca08339ff17860d034c3a391c9609a
f06b2a233a4c439bf240d04095a7bb6e92b349a35c346f1494be502ccf94ca93
a1c6fe783578feafc5335bc6c1d23e6939eb9ef269930beb40038403ba4c1647
40229e987e99a90edfd307fca26d80e77fe7f26656dd26afa112d6bf17cab05d
ccfafd21490d0d0cc050607d9b88bc2bd47a0c8fb76353d35fe6d73ccdbf7f39
5db8d97db338fedd399330e519c68a7b3e44af55f2ab317b40513c8016c1c3ad
a499f25eda525bccc8ab97e3e85213ce42fc5caf48c43e69ddf3004d950f84b2
a6ad5f8fcf6a6c0d25f55cbbc951a80af8227b14fc686e338f88f3278df1f2bc
50e2f37b3d1da24c86081a02b7c4c7f0b77715e584b8a5d986f267b22811631b
30a3ef678c22c5787a3eaa2b5a8e876a3cb2e9c7a2475fa03934db0bc84cde89
51e02b96605273367e7e4cc4c079f5e1edc541820c0b7e0e67329a3b06c75119
832aa74c691c718a21be4a685b37570f5dff015a43208cd7d8cbfaf52031d805
edbfb8ea9975e2d0288570f4d7b575ed9b30735d66409c221232e908bad40b98
540de0e8d7e5208c21d056c498b744d0401e84654153df4ce654a214cf0467f7
da2bfa8eb80ee635d379889bfa257d1f3f5f8a00c0a6e34c7ff2bacc69ae5e1d
3b7b033027e01736a62862939f5c77a3cf69a15002e39129fffcc5c8f294fd31
9ac3097c9cca64c66060cfec03b548afcb4bba56355cd00542c500fcd223eaa0
5e50c738fe664b411ea8f54ccfef68f20889033554673735e7aed0ec37dbbecc
0add68b0957c112d886bcaee0b5b24a4f354135272d32c2e4490145d7b3ff6ba
41fa21302beb4098f64b3651c54ef0ef8a104a671af87d0d9d2085e84f0dfb9f
9ef4cb8bb28ea9ffb00c9f610835f0cffbbf1b79ab1928dc54190d41290b56bd
3e0719faacfb49388545b798a3e9cfd3239b970593c6e0cb179fac8aed0c02f3
32252fc9ab7378df3340402a58f3d36991c6fe843dd9eb88209ab1569e296f71
35d9c6f6d52e5c92757902b9257ce9a0b616f16fee3cc426012093b878189700
c1e747688fe7a81200db84429dd4307a6343ecce11256fea841b26472df57663
1462282c2bb1d8bfdf7282f35c5b3442e03c8149a18d39447d243d38fd04e222
23a0d9fe6d97a2116e91d3b61567f0bdd62b33c86bd902f9a3e4dff8719a8106
ecd028fd97dbe70e1f2a212b4b224fa987f14828e25098ee342ab3a7a0b2afd2
e4a8addf9d7f16181914e99e4befe144f531fe11fabe07493c23494b91d9095a
414d422fed5b92b6690848f956a9e862d9b3ecb15d8f92b2449702a54ab0429b
4923541d87f0ef585682df7c3363a4591f6017da64b4986fef30b296b4885616
d0ec0e8966a6057c1fe93afbf57c20ce27760fe2f1b086d997d34f769d9890dd
b4155fb928b19bc2a8eb81441e4b25fb8a333c67ae9abbcd2defb3fa1f8063d4
f63d70e417cc4a12514ea32c805d0fefbb0e6de39f5917d92147ad47e6230378
73750acd3879f5226ddbd88e3cc35fe7e282d1047ba51a52af2e0eb890a44824
d7fd854148197d2bcb0b950073f5fc33aaf2447fb6f638dde571d4900452f593
1f0425fe23f0d4ac522e4b7ab406d256eb4e83e559ee321d543e5aaa1b9dd81b
88627b437f2f657d7641a4d95d41a12482e5ceadc345d98aeedfae337ca306db
757ef772269842fbccba3791da9e079d45748954abc20153abb41dba7c451997
407312c530750f0320b643a45763bba006d313cefa8df72f463ec836d3f9de08
b03a3978a5e4c0e49c03c2d4262083d3a5275a96c82b59f0850dcc85605ac960
97247cfc6e74a109c37e96fb990002843de13399714ef953e2842af56908877a
2f12fdbd002dff5435dca4d59104cb93cfd3bfadbec742525a99ef3949b576ce
SH256 hash:
a0b12ac811f7477947d58b6c61a94dc823801ede786853a8febb170f6d3b62da
MD5 hash:
b9d4c9d0acf5821cdeba241bd238bdf9
SHA1 hash:
d35629bf7dc97ec717738e9ce2ee3822c4525483
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ab2f4e41-77b4-4673-821b-c3b6b57268c9/
Parent samples :
b277a237e0a76b5252ec64e162b3744fb7df26e6e63566eaaeced9a62474b7d8
fa05f5d0100931b4c04e39b54ebdaf8d402b21de685e7790cb460cfe41b6d10f
3c38aec6257faad6df1653c1966ca2be1e8dff9dcd50c74dc81bd90d0b9abcb6
dd4250890403d4ec88be22d7b61eb8c2065c9bd2f0ca4e29c115d3cf17eaab7a
b449a97a886649b0091f04f46b32663086c37bf1d1be983b943938438b55bf28
429379b0de1b940cbeeead3d39c4775e70a2fd8d87beeb00522b59889a778c3e
54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a
5c980ee11dcc75cf0167b9c7428f998d53ad1ed779e94677d6be48c78ae2340a
fd1ae6658f60f6d1651356790e0225c63ddc16a7d211c1a8ac0618d5fedb1f5f
025b335f1ba0c219d4ceff2d1cd392af1eebe6c7ee00c0a27f5ee7486d1b7dcc
40229e987e99a90edfd307fca26d80e77fe7f26656dd26afa112d6bf17cab05d
a499f25eda525bccc8ab97e3e85213ce42fc5caf48c43e69ddf3004d950f84b2
a6ad5f8fcf6a6c0d25f55cbbc951a80af8227b14fc686e338f88f3278df1f2bc
50e2f37b3d1da24c86081a02b7c4c7f0b77715e584b8a5d986f267b22811631b
832aa74c691c718a21be4a685b37570f5dff015a43208cd7d8cbfaf52031d805
540de0e8d7e5208c21d056c498b744d0401e84654153df4ce654a214cf0467f7
3b7b033027e01736a62862939f5c77a3cf69a15002e39129fffcc5c8f294fd31
9ac3097c9cca64c66060cfec03b548afcb4bba56355cd00542c500fcd223eaa0
5e50c738fe664b411ea8f54ccfef68f20889033554673735e7aed0ec37dbbecc
0add68b0957c112d886bcaee0b5b24a4f354135272d32c2e4490145d7b3ff6ba
41fa21302beb4098f64b3651c54ef0ef8a104a671af87d0d9d2085e84f0dfb9f
35d9c6f6d52e5c92757902b9257ce9a0b616f16fee3cc426012093b878189700
c1e747688fe7a81200db84429dd4307a6343ecce11256fea841b26472df57663
1462282c2bb1d8bfdf7282f35c5b3442e03c8149a18d39447d243d38fd04e222
ecd028fd97dbe70e1f2a212b4b224fa987f14828e25098ee342ab3a7a0b2afd2
e4a8addf9d7f16181914e99e4befe144f531fe11fabe07493c23494b91d9095a
b4155fb928b19bc2a8eb81441e4b25fb8a333c67ae9abbcd2defb3fa1f8063d4
f63d70e417cc4a12514ea32c805d0fefbb0e6de39f5917d92147ad47e6230378
1f0425fe23f0d4ac522e4b7ab406d256eb4e83e559ee321d543e5aaa1b9dd81b
b03a3978a5e4c0e49c03c2d4262083d3a5275a96c82b59f0850dcc85605ac960
97247cfc6e74a109c37e96fb990002843de13399714ef953e2842af56908877a
SH256 hash:
0a6d7e517ddcce6dc1054ba50745e8b4c7e166c1cf7a62f3cb44a5a4ec66dad6
MD5 hash:
90b062b6059cc1ce31fb62d6549898e8
SHA1 hash:
b5bc51572aeee1010b6d0323d572c9e94ab4d6a3
Link:
https://www.unpac.me/results/ab2f4e41-77b4-4673-821b-c3b6b57268c9/
SH256 hash:
54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a
MD5 hash:
e4d608d271b7559184472173a28d31e4
SHA1 hash:
6914260c0de115698aa026ba3a3b5ea3feef716d
Link:
https://www.unpac.me/results/ab2f4e41-77b4-4673-821b-c3b6b57268c9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54e0ad95db35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54e0ad95db35c009388d9aa1ce84e34b4b9195567f717a53bbce5aef981ffd7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/322763/
  
URLhaus
https://urlhaus.abuse.ch/url/2346029/

Comments