MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5
SHA3-384 hash: 18ad65b349044e79aa48455b8b60690f3ecbba4c1ba5711e9a8dd689336f0e0bb18ef22700277eb14915e5d57aaf1541
SHA1 hash: 1d39a52869b2f8f16e26395727e15b0091d0694c
MD5 hash: 703803d10a8bce7032e2a7417d037fdc
humanhash: apart-maryland-winter-papa
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:304'640 bytes
First seen:2022-11-21 00:16:04 UTC
Last seen:2022-11-21 01:33:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8a73eab249f57a85749bc031decc9b5 (7 x RedLineStealer)
ssdeep 6144:Bgz8tQltcizMgKqJx+qYi/iEoZ0Qm8N0riP5FrdLgUpaowI9L3TP:mz8ta2qJc/wiaw5FrdkUpaowIp
Threatray 1'507 similar samples on MalwareBazaar
TLSH T1BA549F3E2292873DE8E7D8764DE8C1B0773C21202FF520D75F9C1A6D4A259EDA23A51D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-21 00:18:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/207b7542-d466-4c2c-9ddb-7d5e2ea27c55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336494/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.22184.29200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware redline virus
Link:
https://www.filescan.io/uploads/637ac380e64742f53c1063b6/reports/3b11e096-e9d4-458c-b682-bfaeebd81954/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7e2b764-1239-432d-8007-32adfee55cf1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117710
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 00:17:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7olyghzbrlyxz4d2jlqkej5jxvrax5hyzws44izs5gsfshuqp2q._file
Verdict:
malicious
Similar samples:
2f067abf432e132947018cec390ed0a6a552a32f77bdad852d1adb75266c2e58
RedLineStealer
4709fd98726279f1671ff8486d4dbaa7d475972599d50740ca606248d13f904b
RedLineStealer
9746de42e598888d36496f78c8cdb7145db4fa524ab4fa924ce7e2d19480731c
RedLineStealer
c3c9d57b69a22007ac8f0d953dd65a969ce5cd5b28bf32f01348d4c39d04cc97
RedLineStealer
d99b7f70d1451c0ac595420b2fe983ecda625c47575ee4a24e786dc440626a55
RedLineStealer
f6e87692e433ad1d832706b4ffb04db9be5324aad182dbaca8771532dbd8ab43
RedLineStealer
+ 1'497 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:easy11201 infostealer spyware
Link:
https://tria.ge/reports/221121-ak2saabd93/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
chardhesha.xyz:81
jalocliche.xyz:81
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dbf9d663-5fca-4e6b-a942-c7e38062c216
Unpacked files
SH256 hash:
2d649530128ccbe3f96cef64fb6e6da6ff6cf5a6658b2f2af310c0f544ad624d
MD5 hash:
1927b368f6dbba33ea3e5243e8b337d2
SHA1 hash:
1ee3b69defad80e0c55f22f9cf86d33347e9e1c1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f9e277ce-ccf7-47c6-9a33-b72376f8f94e/
SH256 hash:
57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5
MD5 hash:
703803d10a8bce7032e2a7417d037fdc
SHA1 hash:
1d39a52869b2f8f16e26395727e15b0091d0694c
Link:
https://www.unpac.me/results/f9e277ce-ccf7-47c6-9a33-b72376f8f94e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57dcbc18f90c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 57dcbc18f90c578be783d25705113d4deb105fa7c66d2e7119974d22c8f483f5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2412583/
Cape
Cape
https://www.capesandbox.com/analysis/336494/

Comments