MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31
SHA3-384 hash: f9bb6a24810b875f973de27a3ca886b1ca400b5a028f58d335138cc947029767d98d509f3c553b81228bbabc50f45bd5
SHA1 hash: b1a3b5210da16b0044cbffaf5243c63b6012fc3e
MD5 hash: cede7e681269355e227d65247a6cd822
humanhash: neptune-three-enemy-orange
File name:cede7e681269355e227d65247a6cd822.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:365'056 bytes
First seen:2021-09-09 07:14:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96b0c0b056f44468723aefb84fe936ee (6 x Stop, 5 x RedLineStealer, 3 x RaccoonStealer)
ssdeep 6144:Fkc0agNjtpJk95K/Q3omK4uJ6i9Tl+mkViakZI+GfRQnMlZRNFa3:b0agnpJ65K/Q3oeMxRoiDZWfqnMlnN6
Threatray 1'964 similar samples on MalwareBazaar
TLSH T18E74AD346EBCC435E1B312B446B6C3B8A5297EA17B3050CB62E43A9ED6347E49D31B47
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cede7e681269355e227d65247a6cd822.exe
Verdict:
Malicious activity
Analysis date:
2021-09-09 07:37:19 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/6ad6554e-951e-40db-91f3-1da868bcd07f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186517/
Detection(s):
Win.Packed.Generic-9891562-0
Create hunting rule

Win.Packed.Generic-9891606-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5acbcf2e-74ba-4b73-a213-1c708e97a69b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/847882
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 07:15:18 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4vvgvbz4og3jvs6uyji47k2jkgdx67d6kz6yplku7weejgidmyq._file
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438
RedLineStealer
1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
RedLineStealer
2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044
RedLineStealer
9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725
RedLineStealer
befa68725fca25ee31ae8e52d2dd67ae3eb3a4073c46bbd260f4f8601050648f
RedLineStealer
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
RedLineStealer
fb2b80d0d33a3da531801ec1ddababfdc5de0c268dfcbcc156c79567a18b8023
RedLineStealer
+ 1'954 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:uts discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210909-h3cj4sahen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.20:13441
Unpacked files
SH256 hash:
0af5150a5c8f9a5f2678baf604a172626ed229efb82df96d7c358b27eb035b95
MD5 hash:
45b9ad483e9f5647e8f37dc8824d3831
SHA1 hash:
fe09a099996b14eea72674be9a9a6c5963cf7cb8
Link:
https://www.unpac.me/results/f52b1242-f121-4b03-9cdc-2a590acf5a27/
SH256 hash:
2fe3f6fc8b9b9f4d1bddc0e97ddd64229da2a069cf199bcd435d14a3e27e4e19
MD5 hash:
f0f9a9448f7a0494d9bf6e11694bfce0
SHA1 hash:
e3d5c8af3b294813b562fead751cc5c2f5c8a51c
Link:
https://www.unpac.me/results/f52b1242-f121-4b03-9cdc-2a590acf5a27/
SH256 hash:
9fd5a295d9c662d120e8d2688ac4b645c3f4390299e4649b8bf76172f6a66425
MD5 hash:
07e9d4478cddb490f89b0edb4842ab0e
SHA1 hash:
48ea47adc76e29fbb23f8c82c7d1b4761f3216fa
Link:
https://www.unpac.me/results/f52b1242-f121-4b03-9cdc-2a590acf5a27/
SH256 hash:
572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31
MD5 hash:
cede7e681269355e227d65247a6cd822
SHA1 hash:
b1a3b5210da16b0044cbffaf5243c63b6012fc3e
Link:
https://www.unpac.me/results/f52b1242-f121-4b03-9cdc-2a590acf5a27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/572b535439e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 572b535439e38db4d65ea6128e7d5a4a8c3bfbe3f2b3ec3d6aa7ec4224c81b31

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/186517/
  
URLhaus
https://urlhaus.abuse.ch/url/1582746/
  
Delivery method
Distributed via web download

Comments