MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f
SHA3-384 hash: 8a69e28a383fee5074fc5430c171772e3bfa45cca08e4fd402735c0f00ca81a2b779ad85aae39b881c87801141c0b1b0
SHA1 hash: 9ce0e40ae78fa71ab43f4e8acf2d855b0ea7ebcd
MD5 hash: adf162028e5b01840010d1a79ae6bdf1
humanhash: vermont-stream-fourteen-georgia
File name:58dd74be00f9f4aee71592466446b7664ea57418eda8e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:140'288 bytes
First seen:2022-10-01 00:56:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:VYO/ZMTFlxUI5rUdiKSk42oxKaVgDF0pRXqh1SS4i:VYMZMBlxUI6f42oxKV2Bqh
TLSH T1EAD35B1927DDAE14D5BE4B79A470A05197F0E513F953F33F4AD160EE2E22B80CE216B2
TrID 48.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.6% (.SCR) Windows screen saver (13101/52/3)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 5141494747556d1b (107 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.241.208.228:28532

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.241.208.228:28532 https://threatfox.abuse.ch/ioc/865818/

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315329/
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Running batch commands
Setting a keyboard event handler
Launching a process
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
redline stealer
Link:
https://www.filescan.io/uploads/6337905f49c58ce767c45c0c/reports/cb2d33a1-4672-4cb8-88f4-9c57b97ddcdc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0491d381-65a8-4828-abfd-8db62974a8c8
Result
Threat name:
RedLine, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081292
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 713849 Sample: 58dd74be00f9f4aee7159246644... Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 9 other signatures 2->69 10 58dd74be00f9f4aee71592466446b7664ea57418eda8e.exe 15 7 2->10         started        15 remcos.exe 2->15         started        17 remcos.exe 2->17         started        19 remcos.exe 2->19         started        process3 dnsIp4 53 o0l0j0jo.webredirect.org 185.241.208.228, 28532, 49708 GBTCLOUDUS Moldova Republic of 10->53 55 f0725413.xsph.ru 141.8.193.236, 49716, 80 SPRINTHOSTRU Russian Federation 10->55 49 C:\Users\user\AppData\Local\...\Firefox.exe, PE32 10->49 dropped 51 58dd74be00f9f4aee7...a57418eda8e.exe.log, ASCII 10->51 dropped 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->93 95 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->95 97 Tries to harvest and steal browser information (history, passwords, etc) 10->97 99 2 other signatures 10->99 21 Firefox.exe 5 4 10->21         started        file5 signatures6 process7 file8 45 C:\ProgramData\Firefox\remcos.exe, PE32 21->45 dropped 47 C:\Users\user\AppData\Local\...\install.vbs, data 21->47 dropped 85 Antivirus detection for dropped file 21->85 87 Contains functionalty to change the wallpaper 21->87 89 Machine Learning detection for dropped file 21->89 91 3 other signatures 21->91 25 wscript.exe 1 21->25         started        signatures9 process10 process11 27 cmd.exe 1 25->27         started        process12 29 remcos.exe 3 18 27->29         started        33 conhost.exe 27->33         started        dnsIp13 59 elew3le3lanle.freeddns.org 77.73.134.40, 20309, 49717, 49718 FIBEROPTIXDE Kazakhstan 29->59 61 geoplugin.net 178.237.33.50, 49721, 80 ATOM86-ASATOM86NL Netherlands 29->61 101 Antivirus detection for dropped file 29->101 103 Detected unpacking (changes PE section rights) 29->103 105 Machine Learning detection for dropped file 29->105 107 5 other signatures 29->107 35 svchost.exe 29->35         started        38 remcos.exe 1 29->38         started        40 remcos.exe 29->40         started        42 13 other processes 29->42 signatures14 process15 dnsIp16 71 Found evasive API chain (may stop execution after checking mutex) 35->71 73 Contains functionalty to change the wallpaper 35->73 75 Contains functionality to steal Chrome passwords or cookies 35->75 83 2 other signatures 35->83 77 Tries to steal Instant Messenger accounts or passwords 38->77 79 Tries to steal Mail credentials (via file / registry access) 38->79 57 192.168.2.1 unknown unknown 42->57 81 Tries to harvest and steal browser information (history, passwords, etc) 42->81 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 23:44:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldoxjpqa7h2k5zyvsjdgirvxmzhkk5ay5wuowzb6cqal6jiyurpq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:redline family:remcos botnet:firefox botnet:lupefox collection discovery infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/221001-baxw1sgcan/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
RedLine
RedLine payload
Remcos
Malware Config
C2 Extraction:
o0l0j0jo.webredirect.org:28532
elew3le3lanle.freeddns.org:20309
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52ac33d9-7208-4a0e-86c8-876db40d9ad3
Unpacked files
SH256 hash:
58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f
MD5 hash:
adf162028e5b01840010d1a79ae6bdf1
SHA1 hash:
9ce0e40ae78fa71ab43f4e8acf2d855b0ea7ebcd
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fc11a88b-1268-4839-8b35-eb5c561a060a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58dd74be00f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 58dd74be00f9f4aee71592466446b7664ea57418eda8eb643e1400bf2518a45f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/315329/
  
URLhaus
https://urlhaus.abuse.ch/url/2344735/
  
Delivery method
Distributed via web download

Comments