MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655
SHA3-384 hash:	51708a9b2f74477b22e2c352f20b5ab85a67a796fec9c2d41c8a120681a379f78ac9dd8815f74bd90f8e0414f69a4e00
SHA1 hash:	a990a354b9f3f88482ea5f07076ef37ee73094b9
MD5 hash:	a99aca651fc9f0e9c7061d60d5c70a5b
humanhash:	lamp-pizza-tennessee-robert
File name:	a99aca651fc9f0e9c7061d60d5c70a5b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'510'821 bytes
First seen:	2024-01-26 13:20:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	06eb4d13e1bb2dcafbe526f4a64db1ae (6 x RedLineStealer, 2 x LummaStealer, 1 x Rhadamanthys)
ssdeep	3072:PrytrQ/no8o2WyzLsYagTewFZ3oVeIGAbepC3d3FUqOB5WWUdoX8E67:ar2nkyyMCN3SqOblU08
Threatray	59 similar samples on MalwareBazaar
TLSH	T18666AF159071EA2DD80D9236B301C0B478D4A99FE4ED76A775C183EA7F23864A6C4FF2
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.75.211.197:443

Intelligence

File Origin

# of uploads :

# of downloads :

373

Origin country :

Vendor Threat Intelligence

Detection:

MetaStealer

Link:

https://www.capesandbox.com/analysis/473028/

Detection(s):

Win.Packed.Pwsx-10019569-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint overlay qakbot stealer

Link:

https://www.filescan.io/uploads/65b3b1bf1dcf0cd544736277/reports/fd7ecef1-b3ae-4103-aa74-7ef5f10a159f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a5ccded7-cc69-41c6-982b-81da3c7dc360

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1381641

Signature

Antivirus / Scanner detection for submitted sample

Connects to a pastebin service (likely for C&C)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2024-01-23 06:54:33 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lhkxsktintohds3jcgc3bk5sf756idrmphnsgz7tsf67fl7lizkq._file

Verdict:

malicious

RedLineStealer

297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

RedLineStealer

59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

RedLineStealer

6aaf7768525102f1d8f6418756663c78898e0b701222a196636dfe3d9fb23c62

RedLineStealer

b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

RedLineStealer

d2df430d281ad78bc0690d63df9896fe195e2df53f2e9182c6f459094f70aa45

RedLineStealer

df4138a66646a5635fcb28efd5b0e7a8df86a67b77e9105516b83cca0233c34a

RedLineStealer

ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee

RedLineStealer

f1bcccd8f101b58cff28e6b38c98a1458e557c7eeab60364ab45063df3e22ae2

RedLineStealer

+ 49 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:978378968 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/240126-qlm9aaedg6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

0547714926adc9dbb6e0bcd65f533220416b39133efb385b80c42f4d304415d3

MD5 hash:

e63a2792392ccdcdd2d62d66095c014c

SHA1 hash:

4e7713b8292fcd7f061effa514331d2abe8f647e

Detections:

redline

Link:

https://www.unpac.me/results/ca32564d-ebfb-4618-8cab-f33c2553938a/

SH256 hash:

59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

MD5 hash:

a99aca651fc9f0e9c7061d60d5c70a5b

SHA1 hash:

a990a354b9f3f88482ea5f07076ef37ee73094b9

Link:

https://www.unpac.me/results/ca32564d-ebfb-4618-8cab-f33c2553938a/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/59d5792a686c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_b1f6f662 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/473028/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample