MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d
SHA3-384 hash:	8c40acf7e1acc4fc58c18faed54ac9395e6f5a6d34b676ed0b3d8ac8e6a10b0f9194a1611ddf3f1fd8989e496f3928ab
SHA1 hash:	d1a1b6a76402387cbda30b31b54aaf0717c0e227
MD5 hash:	72ed407fbc0007404b05abc1a8b66d6e
humanhash:	venus-winter-xray-seventeen
File name:	72ed407fbc0007404b05abc1a8b66d6e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	475'008 bytes
First seen:	2021-08-12 06:42:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:1l/smPBvY/tMuVWw1Nxx8oNIcfdo/IkYMw0jnj/qQOUZ6CMCrhp9ZXTLfMobPUn:UmNYVL1Nx6+bfdo/I9MwezqbyHVYn
Threatray	1'144 similar samples on MalwareBazaar
TLSH	T18FA4F14372854741D98459BA84EB243513E5ACEB2A73DB823F08B3DD5E613B3DE8178E
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://smidgel.ru:443/uplcv?utm_term=how+to+open+stanley+bostitch+stapler+b8hdp

Verdict:

Malicious activity

Analysis date:

2021-08-12 02:44:53 UTC

Tags:

evasion opendir loader trojan stealer raccoon vidar rat redline phishing danabot

Link:

https://app.any.run/tasks/5ab2d26d-f0cd-4b1d-ad57-130358776c16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/178508/

Detection(s):

Win.Packed.Redline-9876022-1

Win.Packed.Generickdz-9879553-0

Win.Packed.Redline-9879939-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

Deleting a recently created file

Creating a window

Sending a UDP request

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5538ca67-46b2-4ee9-9b69-7000e3c19fc9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831467

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d/

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2021-08-12 00:34:42 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=leqptcd6x65jqoh3x7njkmg5ferxe2tdc7to3p66qxtbxuct7moq._file

Verdict:

malicious

RedLineStealer

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

RedLineStealer

1d169f4e5102f1c9a69a09a5a1756b3360ab3d592196bcd62c922a99bc50d3b0

RedLineStealer

2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf

RedLineStealer

57c362ce666df098b6f501828fad20d1b4ff36398634ca4153de9dc43ff1fb9c

RedLineStealer

76aeea722182d2097b74fbe3bc9be747d718ea80967d1afb7c011af2d6981485

RedLineStealer

8cbafd04f32cc48843fcac1913ae731b04e990a44d789a74b0ef50785874d5aa

RedLineStealer

c415d4f2eccd8fbbcaacfb5afb4bf208115bf2ec5acb97bd436779f21d39a0e1

RedLineStealer

e5b091808b73fbf1b94a24bb98d8ac945012ec6b69f0979371af225ecdb804df

RedLineStealer

ee634bdc72e1a5b57eb1f7d42e5d0a4b7c9b1f7aa53a1f53564bf4ff5c74361a

RedLineStealer

+ 1'134 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:11_08_r discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210812-fffvyb3562/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine Payload

RedLine

Malware Config

C2 Extraction:

zertypelil.xyz:80

Unpacked files

SH256 hash:

6eac9b85348b3bd68973ec4184e64da7b034bb6e60906a0e2f6e6593785063d4

MD5 hash:

f85f6fc1985d32340ac740c167bd15e5

SHA1 hash:

729207469a7f71381ddc9faf3d3ebb995b3bd010

Link:

https://www.unpac.me/results/1cf56f84-34f6-4ec7-90fb-81bee0c8cb28/

SH256 hash:

5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

MD5 hash:

72ed407fbc0007404b05abc1a8b66d6e

SHA1 hash:

d1a1b6a76402387cbda30b31b54aaf0717c0e227

Link:

https://www.unpac.me/results/1cf56f84-34f6-4ec7-90fb-81bee0c8cb28/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)