MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4
SHA3-384 hash:	09b13742282652c0c9d1424ca53bb24d30ea48eb3add3f43b85c8e736fed7a086a6bf331458bafbb80d81e6a4721b0eb
SHA1 hash:	f42d6cc8d71f9e6d0ac231316837da38756e438f
MD5 hash:	7a88a52952e6d4e450e846a1f1a8c47f
humanhash:	maine-alanine-massachusetts-fix
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'678'450 bytes
First seen:	2022-10-20 15:57:22 UTC
Last seen:	2022-10-20 17:02:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep	24576:0oyZxbMZfJ71qlWsxp4cpYOYVqAk/bdM2rAyx+dolv6ZGPHPAGLY/r6T/CnAoWSD:9yZtscp4afPHPqrAkAoWSkSARl3M
Threatray	959 similar samples on MalwareBazaar
TLSH	T1A7C52B135A8B0D75DDD27BB4A1CB633AA734FD30CA3A9B3BB608C53959532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-20 15:59:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/868dd609-1f0e-49e4-aba2-8322d67640de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322064/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.33638.12303.12458.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/44001/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/6351700b898b0652a4b922a9/reports/6d1396b3-efa3-4283-aafe-32c36ed51cef/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/993912c5-2799-46fe-8935-199f71f3191f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1094320

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-21 02:14:00 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzgvutmp2rbzktdpacuco4wqbqfwqt6ng322ycdna2rsegswhlka._file

Verdict:

malicious

RedLineStealer

a6071a55f52e33afc85e2a6c018f32c34d9462d6952692c3abbbb1419da714c4

RedLineStealer

bfb370ec7c9814fef28e29192840d156e47df10483a5f8f6fa12d2d9b31aee82

RedLineStealer

d1020d62fc78a0788873d31b905fbfd037f58a1f9b538999c7212fe34c7019f2

RedLineStealer

f6e0ba510c7aa4cea2f2cbd444993d6158fd0a948f2b8ef94042b96529089586

RedLineStealer

+ 949 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1310 infostealer spyware

Link:

https://tria.ge/reports/221020-teg1gaccdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.57:48771

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a3ba7bec-a4b8-4a77-a4d8-ac944a5e5a13

Unpacked files

SH256 hash:

881b46c8a9b56b84bc9b98712d417eec8e001a999d9533645da99537022af77e

MD5 hash:

56cff99842932fe66cf40cfcbc257641

SHA1 hash:

574113f2865e7eefba4fc937daaea4490567b12c

Detections:

redline

Link:

https://www.unpac.me/results/4c52bb4c-f493-47f9-80c4-fd1dc6c7cf35/

Parent samples :

6e3171073afbbfa511a45ac774ec558d5340b0b05c33e64456577fb190472783
564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4

SH256 hash:

564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4

MD5 hash:

7a88a52952e6d4e450e846a1f1a8c47f

SHA1 hash:

f42d6cc8d71f9e6d0ac231316837da38756e438f

Link:

https://www.unpac.me/results/4c52bb4c-f493-47f9-80c4-fd1dc6c7cf35/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/564d5a4d8fd443954c6f00a82772d00c0b684fcd36f5ac086d06a3221a563ad4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2378332/

Cape

https://www.capesandbox.com/analysis/322064/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample