MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578
SHA3-384 hash:	fadd580b83a47c58306f3d680fb5a182fb7d3ecc0f489c83d59b6f82e7d53b73585bcf775dcb2f980c4dcda8aacf3e39
SHA1 hash:	8a2dcc2c8720ca361545d5e84d3e8d3ffa4bd227
MD5 hash:	01cc95ce5359e91935bece2d63465600
humanhash:	charlie-west-failed-don
File name:	01cc95ce5359e91935bece2d63465600.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	400'896 bytes
First seen:	2023-07-03 10:19:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc362a37f67c5b096afb52d4b7ed28c1 (12 x RedLineStealer, 2 x TeamBot, 2 x Tofsee)
ssdeep	6144:spSEY9iW38gDifH0dYkRVTdwcnCWK1vyGG4C1PK9r9y:vEY9i7gDifHmwcnCWKVC1Z
Threatray	15 similar samples on MalwareBazaar
TLSH	T18184E11376E5B873E5234633DE29E5F4BA1EB824FF192A9723186A2F49B03D1C572311
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1898cc40e6d2d2c8 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.26.135.162:2920

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

274

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

01cc95ce5359e91935bece2d63465600.exe

Verdict:

Malicious activity

Analysis date:

2023-07-03 10:21:57 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/d38e4bda-72fd-4280-8001-a33de6b21597

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/405864/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.6356.23561.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

FileScan.IO No Threat

Verdict:

No Threat

Threat level:

  2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64a2a0d32299d268826456f1/reports/c57622fb-7500-42ab-9f7d-ff765b923687/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious Packer

Malware family:

Malicious Packer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/083c8d7b-0566-4bf4-8dc7-6c908f7646fa

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1265743

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578/

ReversingLabs TitaniumCloud Win32.Spyware.RedLine

Threat name:

Win32.Spyware.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-03 10:20:06 UTC

File Type:

PE (Exe)

Extracted files:

27

AV detection:

20 of 24 (83.33%)

Threat level:

  2/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kygseypax72jmtomx7hl7sokxzhyqcbcph2rgm5lbib24352sv4a._file

Threatray malicious

Verdict:

malicious

Similar samples:

53fbba9bc49a1d4abe19c2a0b9c54581329aab9126cf5fb8c43a40917648afb4

RedLineStealer

678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6

RedLineStealer

7aa023814ba17ee53514f4816553de11e3fd12937595f35a4db76de3d29c40d4

RedLineStealer

8907dec2999775bb017857e6f596781b527233221e341be1f8cf4ccc6dcf4210

RedLineStealer

95084eb619f87c93ad143700f298dc5525c2a0520c308b69411518a9754dc3a5

RedLineStealer

95a09a2609d838abca7d4c252fe9fa44a337901810b2db2945673726ffc36b66

RedLineStealer

9f3ee915e2cff2e19bcf2c9c2111d9d1cd41f98a98788fb654193b3c1c6c52b5

RedLineStealer

aad595b3ee9f1972b20a8b76dc2fe9ed42c311edce0988fb984292cc7398db96

RedLineStealer

dbe7771525ffc7afbc1df1b0bc6c723f7022fd194cdb8042bead2f63eb3780c4

RedLineStealer

fb77c72161a3885499d305cc95dd95a28426a5cf549fdfcbfa2b95c632171e41

RedLineStealer

+ 5 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230703-mc3qtsga45/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

UnpacMe 10

Unpacked files

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

e1bd091f64886cc5e6b5f82be833c5566d3f00f7b0fbc937f18cf2e6d72c0ae8

MD5 hash:

a78ceaf985db26d6f52bd44270582ac5

SHA1 hash:

17bfc99cf78fcccafb5ed95a24b5a63527b96f9c

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

e1bd091f64886cc5e6b5f82be833c5566d3f00f7b0fbc937f18cf2e6d72c0ae8

MD5 hash:

a78ceaf985db26d6f52bd44270582ac5

SHA1 hash:

17bfc99cf78fcccafb5ed95a24b5a63527b96f9c

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

e1bd091f64886cc5e6b5f82be833c5566d3f00f7b0fbc937f18cf2e6d72c0ae8

MD5 hash:

a78ceaf985db26d6f52bd44270582ac5

SHA1 hash:

17bfc99cf78fcccafb5ed95a24b5a63527b96f9c

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

SH256 hash:

560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578

MD5 hash:

01cc95ce5359e91935bece2d63465600

SHA1 hash:

8a2dcc2c8720ca361545d5e84d3e8d3ffa4bd227

Link:

https://www.unpac.me/results/3928140d-5533-4506-8998-ea123366c020/

VMRay RedNet

Malware family:

RedNet

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/560d2261e0bf/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 560d2261e0bff4964dccbfcebfc9cabe4f88082279f51333ab0a03ae6fba9578

(this sample)

Cape

https://www.capesandbox.com/analysis/405864/

  

URLhaus

https://urlhaus.abuse.ch/url/2670388/

  

Delivery method

Distributed via web download