MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
SHA3-384 hash: 3360248ea693f3192e5167921c46d2f0e6630acd63e318fcd1338fe7e3d9033db11efc995f8edad99bae48b61f06b05a
SHA1 hash: 0195ec15b9e26cbe235e3f54df62fa28f93b225c
MD5 hash: dd65348e83de85cd76a106cf1c9384cb
humanhash: lake-wyoming-seventeen-tennis
File name:dd65348e83de85cd76a106cf1c9384cb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:598'528 bytes
First seen:2023-02-22 10:46:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:RMr3y90aTT2YQi+VSiUtLV9RTEajbxwpSTIcTtJ0IUF/xS:iybP9X+VSicVHgajUcTQd5S
Threatray 4'032 similar samples on MalwareBazaar
TLSH T182D40247AAEC8172D8B557B048FB02C30A767D605A34876B738B1D5E5CB36B4C2317AB
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.20:4134

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
dd65348e83de85cd76a106cf1c9384cb.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 10:48:33 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/75afd909-cec6-42d0-a91f-b9b08b058919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368933/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72181/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll stealer
Link:
https://www.filescan.io/uploads/63f5f270e6a5b4588ca14e19/reports/0262f58d-c432-4365-973d-f1d52361c83b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b91a69dc-8130-4853-92dd-9323ddffe01d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180455
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813289 Sample: 5q676QeAJK.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 10 other signatures 2->40 7 5q676QeAJK.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\...\sxV8790.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\pBM42Te.exe, PE32 7->26 dropped 14 sxV8790.exe 1 4 7->14         started        process5 file6 28 C:\Users\user\AppData\Local\...\oyD83IB.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\...\nZO21pk.exe, PE32 14->30 dropped 58 Antivirus detection for dropped file 14->58 60 Multi AV Scanner detection for dropped file 14->60 62 Machine Learning detection for dropped file 14->62 18 nZO21pk.exe 5 14->18         started        22 oyD83IB.exe 3 14->22         started        signatures7 process8 dnsIp9 32 193.233.20.20, 4134, 49701, 49702 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 18->32 42 Multi AV Scanner detection for dropped file 18->42 44 Detected unpacking (changes PE section rights) 18->44 46 Detected unpacking (overwrites its own PE header) 18->46 56 2 other signatures 18->56 48 Antivirus detection for dropped file 22->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->50 52 Machine Learning detection for dropped file 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 10:47:09 UTC
File Type:
PE (Exe)
Extracted files:
95
AV detection:
21 of 25 (84.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k255hpusranpltq22a3ma4sahitvkq3zhnleliycm6d5vmggrmmq._file
Verdict:
malicious
Similar samples:
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
RedLineStealer
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
RedLineStealer
9efee2d57d835c791d0d02054f78a246f2a789e279aa586f16819e438fad9c38
RedLineStealer
ac66dc201f99b597ee2e1927a3e8f1667bdf7705f2c8ac9ada9b04118d3a61f2
RedLineStealer
bab8a2a0f1ab5cf415fe8230b4c5d9f5b51bde2e60d1c142cb88a78fbdddcf9c
RedLineStealer
c120e00022d8d427c3bbc86bfb7d1a3da8a04b19df70e971293f22d30238624c
RedLineStealer
c43843275c563c3f8e31ee39a2a9ef867959593caa581a73885d0cbb0d61e056
RedLineStealer
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
RedLineStealer
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
RedLineStealer
e9544006dca36ca79094c4bb17ebcea6d29a040afca043b247feb533a85847f5
RedLineStealer
+ 4'022 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dubai botnet:kk1n botnet:ronur discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230222-mt1mssah56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.20:4134
176.113.115.17:4132
Unpacked files
SH256 hash:
a37e64077bd649c5e305b9af78656a7022f62473384936d35987e4437305ed4d
MD5 hash:
23e7c0856852a0d79341f1ecc7af2abe
SHA1 hash:
ef445222bdf002335c9730c81830a017c041bb2d
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
SH256 hash:
89df917d12815e8fbcd3c971986bb7a0acce027f6500641a405d1b74d63e9e76
MD5 hash:
9259c0a26b9e36c949da3e4e3b39657e
SHA1 hash:
64134daeacf5410d56669fa465978e46bdb7295f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
Parent samples :
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
9efee2d57d835c791d0d02054f78a246f2a789e279aa586f16819e438fad9c38
ac66dc201f99b597ee2e1927a3e8f1667bdf7705f2c8ac9ada9b04118d3a61f2
bab8a2a0f1ab5cf415fe8230b4c5d9f5b51bde2e60d1c142cb88a78fbdddcf9c
c120e00022d8d427c3bbc86bfb7d1a3da8a04b19df70e971293f22d30238624c
ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d
e9544006dca36ca79094c4bb17ebcea6d29a040afca043b247feb533a85847f5
2c9c5dbdb68863ae4863c444c9ec8b67968be535fab0808ccef55800370950cb
c43843275c563c3f8e31ee39a2a9ef867959593caa581a73885d0cbb0d61e056
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
ca02d7d9ded6d35965b5eae79da178fbb884c9002ae33b342a689ee8842990dc
e5642d5842867e0544eb5cf2d31b8970ad464fe431b40b598b69bb5386b19a1f
33246d2f91d2e22590129f20c87ae87721ef288bbac63ec505a32e8086f9c14b
0a12415d4ce544b02e87b14fd12ac08cee2fa00ec80717f466a5c8c03e7d76ca
cd290df81e4bc1c2d7fa0c3debf353ee844fa5400544b586bef492ee3b6b184b
ba696597b9fff0a8682b340684f4eb8e5c829462009b26517ae28439ae12018c
988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
eed0b3a6fb74e267169fb3e613e39f9d7fd1b815270985e6af6512ceb0e173da
79b3f8aa0e868c6b8c04b02f5bb890631009ddf74ff1e5d574b4303d954bf8b3
ecf7e79f4ad960becfe646b8941da7e96cfb5a04ad34da396e0663d7a65d955b
8f9cdccfaec13234321bf87ac4f9dd97412ff37c67b1abdd852bf72f7af8b155
61ab8034851da4259a5549809986cdc2feeb8c93194694162688f55c2f049900
5748216db52452f7a69415930cc592edc60c0db68281b52037030481cda7a067
0c9302498db90160cff7d95614361c03c0f9ff9fd97cb76a1bb1be2ad7afd54a
7b46906487b2f9f8c8dc7be3a346474072a305ca91373ac2a1fd495f517fc9cd
bc5b6b0e77db4d4509fa67b210f8b7af16a435283749c9d6ba1969f0d32b432c
af76c3d3aef0ac6b1275c440f820e0643419ee24a607443db8aa998091bc1428
b679409761837369936d5cfaa45f00dec518396c0b0312d8e26e17b90f5a5a1e
f6f03a1141e356c5011556d3ab3751f5fb087bfee4984b4b3c2d57581e39f4a0
57de7c5166d015792bbe850a2fef9a000effe869ac681e186c70f6060925e731
7bbe59fdbd5e85422e132c114695cb24d9e2bdebec50e938a6f92cadaeaf7f90
cabf1a144990b86298b896efc2e21f4e783181e9aa998630d4b4f8a08746a802
847f2585cb584ae36ddf98de3cdc381dfb09eab5c7695bb8f86730c880d90ba0
5f20bf1b94928038c0bf919d3babebf2d51646b8644235ed41e5ad87602e39f9
f6f9ba562369237e4c82a10722d7093dea088c5c8eac2506e6bcdf7350a4febd
bb9b0f0b2564e1817399025d209a51878f070a9c0370d341398cf1c4caea59c8
0f316ce3a18b7930b2098f26db8be64ee8b31b36b49bada7ab15943cf7dbd882
6601377a6452b4ebd504d0bd07b82319874950b94f471a52ea3198202a856655
566d25b423d6bf5a65a878989dd5d6b491bbafcc7e41616aa34a94ebb4959484
7db9ce537abb3082009a20dd309807fb2422ab3397ed6b48c1e57302ef48837e
e4f3f9bd49f357b7002bd4538f5397dd38b57449aeac49a536599f1d26b08b00
5ddabb6c8573a0f1953ea77bce93fd5eaafc47b87c8c081cc1ef1c2a2b26f6b5
f65e55d88f8b2daacada6de651bd66e788faea3d5e6c673aa3f5983f08c82db9
28573d964c471ba36c4bccc510197af2669c1498ce5b041d90a9ff4c5f136aec
51c7cca00712801ade62d62309c2014231c9e447ca76829fb24de1712ee935d0
d7623470361773f0fed6970ecf4fa4ab51d9f6ebc9ecf4828c77b72136c945c4
955e4add7fef760292d37853c801d3682f01b3db7dad1fe2eebddb3d6c80d8d0
06c034757f977337ebfd88435f03a269565aa91bcd0c12e3b65fa67be93a08b5
cd8d689bec5ed6c84ed23236955e3f5564df831e49fdcac52af1f403e2edc451
65b02fce0684db534cf8d2875a40ff756d7c7b8a9914154b5e9d274068150f6a
f6b542f9c7c64910063aa3b4036d864d61546844290113d1c74f9379ae696f19
c3d4a3ed8d9548266be03aaa4e4cdd0ac00426289f147f47281c5dc7c646dd9c
4bfb921c92892a88aac869a408968a660b2f99c9f5045b77ba109c30bab2de5c
9c91566fa2ee262269c37974f59cfea87632da804e48af1a53977395a9199ead
fca9768e262acf8541edb720f60e487fb1b989cbe9e69691ff5e1c40e8d7b8ff
e3b8d5e7e6748052efb0bd12fa34b3d6b15014b77c2f7292959864f54bb929ff
fe1401d3b0ca1bf4da5836388c9c39b9e38ab2cff32fbb8e98d0bb54a1530ca3
4eb6daeb4425e9babe68b3e22510096ce80773198a67bf1e4518359e3a85154c
e035c6f0110b8fe9ced16e8edbd57b14ef21773f1ff7b6f047f8b4b355892bef
182546aa1bafd3b66a1c52f9d02f40f370f56dd143afdaab2ad2301e71c11d05
825873e0a5d8d2de1f493a046f4334e8dfa846975cdfc6ae41154cf63891c7ee
29ee1adbe52473ca1ca2e30672bde86ace7ea2658f6aa10bea16a1a40aef4cc2
318aa920bf04fa3b8d1fc59b10f907747820aec84a79d9ec7cac479302620c88
785755222a312d20469e673184727d6744809e9fadc13ed126a7c8d127f0d6f9
2bbe4647c6e089301d77919055997822a0a99de760d36b198a49ff17c6c6b839
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
08fdd7a5dfca7199af1ce03436a876b725522f3afdd1fbcd1bb4d1be527efb62
aafea187dce3f09b11d83fd877815b9687772296c1e06b110bcc6c427d7b9a59
da60922aee05f23dd46551ea84697e1b53bf3f4f23ed0e2e9e3852856dcb357e
e3db4b66c4a0e4149b65aaa9742cf525c366affecb66f8e1636dde0acc60706a
37a481250fba32a58cb9edce695ca8e79871bce31048b139bb5562e7bc5d6263
2e472c2bd9c0caf6d7137d706396c28b4482e924f9cc66dd34ea68919e28c835
308d9de342b378cfb5d354820bda09c58c8c3ee67b7755c7b60171a220cb137e
4b73fabdffd00b7a6195fa096056d2aee0b92a24fe39a03bc2a05739c12dea96
1ab8530a27e06458681d617de648ccd2e290f8a4c40bbb9dcedef7aaf68f606c
9f54831799b2eec632023227a3878eac82f28d2458b16bbd03d447e5bdb08ecd
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909
67c35635a2bde7ab0b4e1c3d31c032ea9b1635fb942f3870cdb6b94db7510c2c
4ff1334aa7a3790f75a40310f5839056e43c130199f761d2a82a84e7d57a1e6d
adb452d5dfe248e6e2b12103bd57daaf2749aab3d6a75f53068d4e96b0dcf747
b0627436faa99e47e4bb04f588fd047986147887a03c25a92cbd2348e0fba4cb
d4f0b5cb717636ae26e08e9c2249ec6b888372effdf8fb0eabaacb77edfd0102
b1c87ef62fa53f053801cb96a105fa1e3164f11b110babe210864181b3620614
802c163bd044ab5ec2235759ba39d173905de326b2a79051a1e58853a247ba82
75fe3828ff3ab874cb754dc3d5852ad90944f8c05bfd7226652872d391e0613f
668f014732e2576d67a6cf8a6949ea2ab634c8d2b15997684abf99a8991e3ac6
126575fa347e9012fd409e1692f132143f869541fc2445819d640fd1e7c60065
879f2f1584ebdadaca8f645280dca1b17b03a40f587b8de875e1f86b451fd3ed
80d6758fc3e6a83608bc60dfe1693e9d24cd3207df0722d58209e14c2685aa22
8ac2d28d9473cf364e5f675734c5e86510a343e2e685aefe8ff0c4060ca11f3c
990d16c98d18251e2a9c57e517e8f09c187233510276a455202c2f0a2e93db56
SH256 hash:
c950fe518b8295a1a2cbc8e88c4482c95fb013f54cadf4ff0bb7181f84513934
MD5 hash:
e903ff6756b38e810b07d85398f27a23
SHA1 hash:
2500a187dfd0094915cddfead3375852a209c835
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
Parent samples :
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
5e61ca396611b20ac59f4701d471fce71202fa690f5481c5f71d0f1b00336406
9efee2d57d835c791d0d02054f78a246f2a789e279aa586f16819e438fad9c38
ac66dc201f99b597ee2e1927a3e8f1667bdf7705f2c8ac9ada9b04118d3a61f2
bab8a2a0f1ab5cf415fe8230b4c5d9f5b51bde2e60d1c142cb88a78fbdddcf9c
c120e00022d8d427c3bbc86bfb7d1a3da8a04b19df70e971293f22d30238624c
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
ca02d7d9ded6d35965b5eae79da178fbb884c9002ae33b342a689ee8842990dc
e5642d5842867e0544eb5cf2d31b8970ad464fe431b40b598b69bb5386b19a1f
33246d2f91d2e22590129f20c87ae87721ef288bbac63ec505a32e8086f9c14b
cd290df81e4bc1c2d7fa0c3debf353ee844fa5400544b586bef492ee3b6b184b
cf755affe24a7e970b02ffeceddce25f80f94c4b4cc547c8b5cd03493bb0e557
988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
e0379ac34b43ab263dbd2e7ad5121ebcfd9f68ce19f4deed8fdeb980d77c56f3
79b3f8aa0e868c6b8c04b02f5bb890631009ddf74ff1e5d574b4303d954bf8b3
ecf7e79f4ad960becfe646b8941da7e96cfb5a04ad34da396e0663d7a65d955b
8f9cdccfaec13234321bf87ac4f9dd97412ff37c67b1abdd852bf72f7af8b155
2daeeb62fc2bbd3eed608f4869b6216897f47de7cd60d83a564d39c896f3ade5
0c9302498db90160cff7d95614361c03c0f9ff9fd97cb76a1bb1be2ad7afd54a
7b46906487b2f9f8c8dc7be3a346474072a305ca91373ac2a1fd495f517fc9cd
bc5b6b0e77db4d4509fa67b210f8b7af16a435283749c9d6ba1969f0d32b432c
af76c3d3aef0ac6b1275c440f820e0643419ee24a607443db8aa998091bc1428
f6f03a1141e356c5011556d3ab3751f5fb087bfee4984b4b3c2d57581e39f4a0
57de7c5166d015792bbe850a2fef9a000effe869ac681e186c70f6060925e731
2953bdc400a36df5640b9347931aa8e9e15088e5eeaad9576a096083d30356d5
7bbe59fdbd5e85422e132c114695cb24d9e2bdebec50e938a6f92cadaeaf7f90
cabf1a144990b86298b896efc2e21f4e783181e9aa998630d4b4f8a08746a802
86de7903cfeed570b0f301e5e5a2f7bc6d3f593bb9dd29813ffa529054ba1379
f6f9ba562369237e4c82a10722d7093dea088c5c8eac2506e6bcdf7350a4febd
bb9b0f0b2564e1817399025d209a51878f070a9c0370d341398cf1c4caea59c8
0f316ce3a18b7930b2098f26db8be64ee8b31b36b49bada7ab15943cf7dbd882
6601377a6452b4ebd504d0bd07b82319874950b94f471a52ea3198202a856655
7db9ce537abb3082009a20dd309807fb2422ab3397ed6b48c1e57302ef48837e
5ddabb6c8573a0f1953ea77bce93fd5eaafc47b87c8c081cc1ef1c2a2b26f6b5
955e4add7fef760292d37853c801d3682f01b3db7dad1fe2eebddb3d6c80d8d0
ec440c0a6a82513da0a87662e593bd0ed464a3ee3622d4b174e9df395d8c8cdc
65b02fce0684db534cf8d2875a40ff756d7c7b8a9914154b5e9d274068150f6a
521110cc5b414bf5098a7e19d64c3592e7531ee9ce7fc452cf4ae3f88c7427af
c3d4a3ed8d9548266be03aaa4e4cdd0ac00426289f147f47281c5dc7c646dd9c
4bfb921c92892a88aac869a408968a660b2f99c9f5045b77ba109c30bab2de5c
9c91566fa2ee262269c37974f59cfea87632da804e48af1a53977395a9199ead
4eb6daeb4425e9babe68b3e22510096ce80773198a67bf1e4518359e3a85154c
e035c6f0110b8fe9ced16e8edbd57b14ef21773f1ff7b6f047f8b4b355892bef
825873e0a5d8d2de1f493a046f4334e8dfa846975cdfc6ae41154cf63891c7ee
2bbe4647c6e089301d77919055997822a0a99de760d36b198a49ff17c6c6b839
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
08fdd7a5dfca7199af1ce03436a876b725522f3afdd1fbcd1bb4d1be527efb62
37a481250fba32a58cb9edce695ca8e79871bce31048b139bb5562e7bc5d6263
9f54831799b2eec632023227a3878eac82f28d2458b16bbd03d447e5bdb08ecd
67c35635a2bde7ab0b4e1c3d31c032ea9b1635fb942f3870cdb6b94db7510c2c
ba0c6fac5914eef2831c584d15b99f8c2a0e16026ace23725ccfd5eacf3a2697
667119dc6e5aa376b5de1c263b42f4e11a5b5548467032f01f07c23fb98383fc
adb452d5dfe248e6e2b12103bd57daaf2749aab3d6a75f53068d4e96b0dcf747
b0627436faa99e47e4bb04f588fd047986147887a03c25a92cbd2348e0fba4cb
d4f0b5cb717636ae26e08e9c2249ec6b888372effdf8fb0eabaacb77edfd0102
b1c87ef62fa53f053801cb96a105fa1e3164f11b110babe210864181b3620614
75fe3828ff3ab874cb754dc3d5852ad90944f8c05bfd7226652872d391e0613f
668f014732e2576d67a6cf8a6949ea2ab634c8d2b15997684abf99a8991e3ac6
879f2f1584ebdadaca8f645280dca1b17b03a40f587b8de875e1f86b451fd3ed
80d6758fc3e6a83608bc60dfe1693e9d24cd3207df0722d58209e14c2685aa22
8ac2d28d9473cf364e5f675734c5e86510a343e2e685aefe8ff0c4060ca11f3c
SH256 hash:
e9591ea23f56ef29a6b9c9e49933ea36802d56ab4704350f5e7e487397f1c783
MD5 hash:
43a08c702d9d4b18169c91bf4888019d
SHA1 hash:
fb79c6933e3bba0dea3b5eab996bc9c9463d03b3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
Parent samples :
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
aafea187dce3f09b11d83fd877815b9687772296c1e06b110bcc6c427d7b9a59
SH256 hash:
c1b74fe23bad74a692ff41d96dd968f54a17021c9d1d36bb2ca0ed65d8e218c9
MD5 hash:
fd38176457539f4c8d49dcc08ee7a270
SHA1 hash:
b3283ecce8f04cea30cf0f3a0e63f625518e8e6e
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
SH256 hash:
8d17b2441d41fa8411cb6b5487d06eb7053e518f3cf5ac52f02003755722be28
MD5 hash:
d7c53a26309e6029f9eac9d5e02417bf
SHA1 hash:
882972c0e2eb559f5d1286a5386810ba123e531d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
Parent samples :
9c91566fa2ee262269c37974f59cfea87632da804e48af1a53977395a9199ead
fca9768e262acf8541edb720f60e487fb1b989cbe9e69691ff5e1c40e8d7b8ff
e3b8d5e7e6748052efb0bd12fa34b3d6b15014b77c2f7292959864f54bb929ff
2bbe4647c6e089301d77919055997822a0a99de760d36b198a49ff17c6c6b839
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
SH256 hash:
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
MD5 hash:
dd65348e83de85cd76a106cf1c9384cb
SHA1 hash:
0195ec15b9e26cbe235e3f54df62fa28f93b225c
Link:
https://www.unpac.me/results/49a1a3e0-36af-4837-a5ca-5edee1c842f7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56bbd3be9288/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2546949/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368933/

Comments