MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3
SHA3-384 hash: 5d2a323781cf54d1df9755752e8797acf898508198d32846b1bda751a2ede93641223e673493c86533b423a44387b24e
SHA1 hash: 8f8ee0f37bd3b9a4130f6ad2cb26bb53010f8cdf
MD5 hash: 5982c80b74264ee6d68f1226c65e7c09
humanhash: pizza-muppet-kansas-quiet
File name:56c6e786a980422a6dc322c54dee750a936f4f143d268.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'605'296 bytes
First seen:2022-01-09 15:16:01 UTC
Last seen:2022-01-09 16:31:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 49152:afebE0f8SQEQPZWZQtyEPbxcW7AuoEvshm09EkMbIQ7HH8PPg9sVG4NaU5mR+yls:af90ESQEbmyEDSbsJ0KZLIqgyls
Threatray 717 similar samples on MalwareBazaar
TLSH T125F533FE169A78CBED475B74D580C093ABE290F5A5E0D0F3C1E9630B760930B9F84269
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.101:23970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.101:23970 https://threatfox.abuse.ch/ioc/292069/

Intelligence

File Origin
# of uploads :
2
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
444.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 14:40:41 UTC
Tags:
evasion trojan rat redline loader
Link:
https://app.any.run/tasks/e6df2f82-61cf-4342-aeef-2aa47133468f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217918/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a file in the Windows subdirectories
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61dafc3702e388f9fdba950f/reports/762dff27-ea8f-4881-be6f-2c725e2ed102/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b804ba42-9b9b-444f-a61f-9c5c85015d91
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917320
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549798 Sample: 56c6e786a980422a6dc322c54de... Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Yara detected RedLine Stealer 2->60 62 .NET source code references suspicious native API functions 2->62 64 3 other signatures 2->64 9 56c6e786a980422a6dc322c54dee750a936f4f143d268.exe 2->9         started        12 msiexec.exe 92 132 2->12         started        16 iisexpress.exe 5 2->16         started        process3 dnsIp4 74 Writes to foreign memory regions 9->74 76 Allocates memory in foreign processes 9->76 78 Tries to detect virtualization through RDTSC time measurements 9->78 80 Injects a PE file into a foreign processes 9->80 18 AppLaunch.exe 15 8 9->18         started        56 192.168.2.1 unknown unknown 12->56 42 C:\Users\user\AppData\...\iisexpress.exe, PE32 12->42 dropped 44 C:\Users\user\...\iisexpress.exe.manifest, XML 12->44 dropped 46 C:\Windows\Installer\MSI43AC.tmp, PE32 12->46 dropped 48 76 other files (none is malicious) 12->48 dropped 23 iisexpress.exe 1 33 12->23         started        25 msiexec.exe 12->25         started        27 conhost.exe 16->27         started        file5 signatures6 process7 dnsIp8 50 45.9.20.101, 23970, 49762 DEDIPATH-LLCUS Russian Federation 18->50 52 bitbucket.org 104.192.141.1, 443, 49770, 49771 AMAZON-02US United States 18->52 54 3 other IPs or domains 18->54 40 C:\Users\user\AppData\Local\Temp\luxe.exe, PE32 18->40 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->68 70 Tries to harvest and steal browser information (history, passwords, etc) 18->70 72 Tries to steal Crypto Currency Wallets 18->72 29 luxe.exe 1 18->29         started        32 conhost.exe 23->32         started        file9 signatures10 process11 signatures12 82 Multi AV Scanner detection for dropped file 29->82 34 cmd.exe 3 2 29->34         started        process13 process14 36 conhost.exe 34->36         started        38 msiexec.exe 34->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 15:16:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3dopbvjqbbcu3odelcu33tvbkjw6tyuhutiau6tskseq3aqwxjq._file
Verdict:
malicious
Similar samples:
0c026f6f5c3577b153ad00b629075001de41ad9d26de2723aacbf3a87c8bc0ef
RedLineStealer
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
RedLineStealer
512a285e71ca64c29b40cb0d68517521b460766bbe0a2233cf66959e227c37d8
RedLineStealer
56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3
RedLineStealer
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
RedLineStealer
977c68b28f92df1f9cb32d67323dc5c13ee2da192f8007dbf893338529bd88e2
RedLineStealer
a16e7379dfd435c1b99183299ecbdb3b468e47cc68bb9a14bef5fda17bb2e942
RedLineStealer
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
RedLineStealer
cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de
RedLineStealer
+ 707 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220109-snf9vsdhfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
328153992ffc06a2572cdabe19482041b849cc64fc779add215cfa82759eb313
MD5 hash:
27a78c79a8d136e68b65ae28c0ff7d17
SHA1 hash:
8e4583ea14eb1823aa9ffb603a7dd37d94831b75
Link:
https://www.unpac.me/results/0d41dba1-16d6-43f7-a1a8-345c59283313/
SH256 hash:
46dd0b6cbdc7601d45c513f131bc2a2f6faaa9b13df5cb14c75e26988e72cf82
MD5 hash:
7617037b7bf6a5bb27f7f0c2b65fae19
SHA1 hash:
0b6d34a2a5c9cb083edcc2230bcf509e4fa50ca3
Link:
https://www.unpac.me/results/0d41dba1-16d6-43f7-a1a8-345c59283313/
SH256 hash:
56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3
MD5 hash:
5982c80b74264ee6d68f1226c65e7c09
SHA1 hash:
8f8ee0f37bd3b9a4130f6ad2cb26bb53010f8cdf
Link:
https://www.unpac.me/results/0d41dba1-16d6-43f7-a1a8-345c59283313/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 56c6e786a980422a6dc322c54dee750a936f4f143d268053d392a4486c10b5d3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/217918/
  
URLhaus
https://urlhaus.abuse.ch/url/1961887/
  
Delivery method
Distributed via web download

Comments