MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4
SHA3-384 hash:	25dddb5bd4510789f8094f4d48f099a13da9910a0703576105d4de3bb2ba281180b7ebd18610188a892739c3f9cb96a6
SHA1 hash:	975913af05cc0c417833f7213c58baf7910d21a9
MD5 hash:	5520a5278a2c1e66794cccf27d607ada
humanhash:	stairway-queen-montana-kilo
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'606'624 bytes
First seen:	2022-08-22 19:05:04 UTC
Last seen:	2022-08-23 08:44:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	49152:8OUTAhdIpQqsoVrkqNFWbFg9v1vWinF5+hS5ZqFgJQ4qtq/8kufxJ5E+ylpDxu+y:88hyqk4O9BF573qu/8kSxYz97iA0PVT
Threatray	41 similar samples on MalwareBazaar
TLSH	T1F926123353955191C4F68C368537FEE171F7036A8B42A8FA25CAEDC229325E4F726683
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	ccb2b2f0f0b2ccd4 (3 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Panasonic SC-ZMAX30 Combo version
Issuer:	Panasonic SC-ZMAX30 Combo version
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-08-21T21:48:43Z
Valid to:	2032-08-22T21:48:43Z
Serial number:	6fb5a9ea9afc43804dcb1d7fd242f1dd
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a1435cd67ac81a15b0ff25779e911aa9cc0add136c6f5db672bf2e804d4dbc84
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1009372727687270504/1011350191040888884/Galaxy.bmp

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-08-22 19:06:37 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/b6931bd7-7802-462b-a35f-bf53c6f099e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300332/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.22064.14165.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/6303d3b5f205e2ee766f6344/reports/d95a8fdf-fff3-4b68-918d-d32587b69c5b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0bd6dbfa-2ef2-4b5e-8f3c-882583e7fe03

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1055825

Signature

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-08-22 19:06:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgcyncj7wdqw5dwu2362a7stjkeqptbj35arq74clemqk3y2g72a._file

Verdict:

malicious

RedLineStealer

573695b2ac9e3a239ecddee3b688aece5257db0677bf551a259a41b31db07050

RedLineStealer

6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22

RedLineStealer

7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6

RedLineStealer

9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79

RedLineStealer

ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645

RedLineStealer

c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18

RedLineStealer

f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d

RedLineStealer

fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a

RedLineStealer

+ 31 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220822-xr23yscabl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

ba212c8f0abe3910c917e56dba9471f48a11eb167d09ed7cc5f9e67a8005f142

MD5 hash:

16b639544646d5f39708c252b4d782c8

SHA1 hash:

c345aa2aaee332c3e24e7a061773138dd5ca34e5

Link:

https://www.unpac.me/results/99d9ad9e-429f-4024-bab1-b218ce41317b/

SH256 hash:

161b8b561b23313ed24a2a85e9f119312758446598ddcd492d097ab187b8b62a

MD5 hash:

bfe88e4c9d4a2a9d36e1fe1364cf2aba

SHA1 hash:

76def28f758c936e134ac18adca2fa7c99f03c27

Link:

https://www.unpac.me/results/99d9ad9e-429f-4024-bab1-b218ce41317b/

SH256 hash:

598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4

MD5 hash:

5520a5278a2c1e66794cccf27d607ada

SHA1 hash:

975913af05cc0c417833f7213c58baf7910d21a9

Link:

https://www.unpac.me/results/99d9ad9e-429f-4024-bab1-b218ce41317b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample