MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4
SHA3-384 hash: 9ca91f77b1258c0ae702d9d122d77f0f6f10ca0d40730f4f8a693761019ddaed48735275aec9f3b536ebf629006c3ed9
SHA1 hash: 4b7cc9a4030e2ac7be47ce22f4c7ccb8824d3a15
MD5 hash: 914f22fd3b49942bfd32258d2811dcbd
humanhash: golf-kentucky-violet-twenty
File name:56637E06A35402EDA9BF01F868A88CD3E3A683ED0EE09.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:967'680 bytes
First seen:2022-01-22 23:06:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:feWqbXDbNx51h0L96vglzRs+Yu4bRDDE3tpMh0:2WqbV/s96vgdlYuw1w3vy
Threatray 1'917 similar samples on MalwareBazaar
TLSH T17A25220207C99231F0E417B0CDF543532669FCD67A2863AF7A8965DB09712C0BA797AF
File icon (PE):PE icon
dhash icon 71b0b28792964586 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.39.217.96:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.39.217.96:80 https://threatfox.abuse.ch/ioc/314066/

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.descarga.xyz/sony-vegas-pro-full-crack-mega/
Verdict:
Malicious activity
Analysis date:
2021-11-12 21:52:50 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/fe87bc21-9405-4b44-8b83-6dc243af3957

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221687/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5027/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll control.exe packed rundll32.exe setupapi.dll shell32.dll wacatac
Link:
https://www.filescan.io/uploads/61ec8e1bf81da814af9aa8fe/reports/3e2147a7-2a55-4c9d-b75d-433f5100ef80/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41c74fcc-11f2-486b-99f0-94d8c71a0ddd
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925734
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558212 Sample: 56637E06A35402EDA9BF01F868A... Startdate: 23/01/2022 Architecture: WINDOWS Score: 100 89 Found malware configuration 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 2 other signatures 2->95 13 56637E06A35402EDA9BF01F868A88CD3E3A683ED0EE09.exe 1 5 2->13         started        15 rundll32.exe 2->15         started        process3 process4 17 cmd.exe 1 13->17         started        20 makecab.exe 1 13->20         started        signatures5 83 Obfuscated command line found 17->83 85 Drops PE files with a suspicious file extension 17->85 87 Uses ping.exe to check the status of other devices and networks 17->87 22 cmd.exe 3 17->22         started        26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        process6 file7 55 C:\Users\user\AppData\Local\...\Corpo.exe.com, PE32 22->55 dropped 97 Obfuscated command line found 22->97 30 Corpo.exe.com 22->30         started        32 PING.EXE 1 22->32         started        35 findstr.exe 1 22->35         started        signatures8 process9 dnsIp10 37 Corpo.exe.com 1 30->37         started        61 127.0.0.1 unknown unknown 32->61 process11 dnsIp12 63 192.168.2.1 unknown unknown 37->63 65 bxPUNQqaPLMlvLRAbURzRe.bxPUNQqaPLMlvLRAbURzRe 37->65 57 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 37->57 dropped 99 Deletes itself after installation 37->99 101 Writes to foreign memory regions 37->101 103 Injects a PE file into a foreign processes 37->103 42 RegAsm.exe 15 7 37->42         started        file13 signatures14 process15 dnsIp16 67 backforbloodse.com 5.39.217.96, 49820, 80 HOSTKEY-ASNL Netherlands 42->67 69 algerianfoodbank.com 95.217.226.51, 443, 49822 HETZNER-ASDE Germany 42->69 71 api.ip.sb 42->71 59 C:\Users\user\AppData\Local\Temp\win11.exe, PE32 42->59 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->107 109 Tries to harvest and steal browser information (history, passwords, etc) 42->109 111 Tries to steal Crypto Currency Wallets 42->111 47 win11.exe 14 3 42->47         started        file17 signatures18 process19 dnsIp20 73 www.google.com 142.250.184.68, 443, 49823 GOOGLEUS United States 47->73 75 Antivirus detection for dropped file 47->75 77 Multi AV Scanner detection for dropped file 47->77 79 Machine Learning detection for dropped file 47->79 81 2 other signatures 47->81 51 win11.exe 47->51         started        signatures21 process22 process23 53 WerFault.exe 51->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4/
Threat name:
Win32.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 02:56:48 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
27 of 43 (62.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzrx4bvdkqbo3kn7ah4grkem2pr2na7nb3qjfof7zoarrq3nassa._file
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
RedLineStealer
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
RedLineStealer
199f2dc4388a96b80edc0881ac6e70b33833ddb801d15a53981e0ce7624fe371
RedLineStealer
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
RedLineStealer
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
RedLineStealer
5ecfe4ce56696312991f74569ffbe173a6dda8878dd2eb2c2ee109a4a4d4740f
RedLineStealer
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
RedLineStealer
9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
RedLineStealer
a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb
RedLineStealer
+ 1'907 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220122-23zt7adfgl/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
f0cf819c3cf69c19d4f1f080cfbbdc02952172b436065a98cd1047a2fbdf3dd5
MD5 hash:
7c907f6d03c048002088799bca65ca17
SHA1 hash:
bb78ce6809d085663dd4f955f9913a63b39ab8e3
Link:
https://www.unpac.me/results/2d24cb6b-4310-497f-901c-128e94165f38/
SH256 hash:
56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4
MD5 hash:
914f22fd3b49942bfd32258d2811dcbd
SHA1 hash:
4b7cc9a4030e2ac7be47ce22f4c7ccb8824d3a15
Link:
https://www.unpac.me/results/2d24cb6b-4310-497f-901c-128e94165f38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221687/

Comments