MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 3 File information Comments

SHA256 hash:	592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b
SHA3-384 hash:	de6589b403ed7e34b0ef9255deff49c09b659432bfada11998baca35a2dad7838837bfc3a47fd9773e1a1c4462ab4b4f
SHA1 hash:	6ee158437513a43ef4a7c0cc885ea1fbdce8519e
MD5 hash:	fdc08cd73067053b5ffe1fa6ff89db69
humanhash:	magnesium-charlie-earth-bacon
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'678'450 bytes
First seen:	2022-10-19 17:44:35 UTC
Last seen:	2022-10-19 17:53:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep	24576:5uZGB2rgxdDlnFmNXIhp4cFYuYrAEfbKM2rHyx+doKH6ZG3DPAGLY/r6TiugoePY:5mo8gTJp46d3DPqrAeoisze+3Rl3/
Threatray	900 similar samples on MalwareBazaar
TLSH	T142C52C135A8B0D75DDD27BB4A1CB633EA734ED30CA3A9B7BB608C43959532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.137.192.57:48771	https://threatfox.abuse.ch/ioc/895009/

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-19 17:47:10 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e6c4f980-94ba-42ec-9aff-5aa6aa2992cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321806/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.154054.10340.18152.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43868/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/635037a0455bf4ac5c716542/reports/c020065e-459d-4f1e-b516-f87989e2000f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e94b3d9-f295-4d0f-ad8e-d6417e0c3026

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1093692

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-19 18:17:32 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lexvhxce267vkuliywyikjfxp4d4ck5ldnmcqgsfbnpgkvhiyinq._file

Verdict:

malicious

RedLineStealer

7a326252bacc0fd06ca168c8f89389f6bd89058385e6b07d7cd9676612bd93cd

RedLineStealer

7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e

RedLineStealer

824790997e40228c635b02fa75148e6e53b28ce5062509614bcad4570f6a455f

RedLineStealer

9cd9e630d1113f57e6f0dcc6164bac77282e172b8f69a289008a7a5065e8331c

RedLineStealer

ee2f4e019c67ac698cd6070a2a10c4b634bccc69147c2fa8c38984835f7ffa5c

RedLineStealer

+ 890 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1310 infostealer spyware

Link:

https://tria.ge/reports/221019-wbqjjsacd3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.57:48771

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6f1aeeb5-728a-4f03-98bb-400c6363e5fd

Unpacked files

SH256 hash:

8a8feb865311ef6c004b8cc15fa17cef7f758a9ce6456a88fd49e5a8c2350172

MD5 hash:

97c4834e5b338a40a75fd58d214fc9d4

SHA1 hash:

193f69c664df4a7cc0e5f44688b1bb4458c19fb6

Detections:

redline

Link:

https://www.unpac.me/results/bfd04a59-e7e1-4943-8dcd-1012f3343e88/

SH256 hash:

592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b

MD5 hash:

fdc08cd73067053b5ffe1fa6ff89db69

SHA1 hash:

6ee158437513a43ef4a7c0cc885ea1fbdce8519e

Link:

https://www.unpac.me/results/bfd04a59-e7e1-4943-8dcd-1012f3343e88/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/592f53dc44d7bf555168c5b08524b77f07c12bab1b58281a450b5e6554e8c21b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321806/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample