MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593
SHA3-384 hash: 1c6d4cf728f5dbef7b3837fd7ba1e69d5606d779e231f7f1090da85e672debe026209df20d349d220e2ce724ccc07576
SHA1 hash: 24c68654cf43f5c1c8196a3ef060617f7abcc23c
MD5 hash: 78195a28cd5575b9ce6a0239ca0784df
humanhash: pennsylvania-nuts-carolina-zulu
File name:78195a28cd5575b9ce6a0239ca0784df.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:306'688 bytes
First seen:2021-11-19 10:26:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60717492774a159a69a9c089c46abb75 (2 x RedLineStealer)
ssdeep 6144:cXIIniKJPVNGUyHlIEYpc/qCnQl5CyfUpe:SNniKJHGtupMlQlJf5
Threatray 3'482 similar samples on MalwareBazaar
TLSH T1E864E00133B0C071E5AB1A316930D7A049BF78726BB441CB67771A2E5EF06E18E79B97
File icon (PE):PE icon
dhash icon fcfcb4f4d4dcd8c0 (7 x RedLineStealer, 4 x RaccoonStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.168.100:38784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.168.100:38784 https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78195a28cd5575b9ce6a0239ca0784df.exe
Verdict:
Malicious activity
Analysis date:
2021-11-19 10:28:46 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a0e27b27-e3c5-4f2a-a0f0-54e1d0d56523

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61977bbd4912a8c920a39e2d/reports/95b5e9dc-93ee-45d6-acd7-4a8b638decf1/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba1f9ad0-eddd-4520-be52-0b25a130733b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/892585
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 10:26:06 UTC
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lojtyp5wpp2v2uqijviappuj24laxmjyyx7srj2jf4btija4awjq._file
Verdict:
malicious
Similar samples:
067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557
RedLineStealer
136b09653c55e04d3c4162c116bebb52dc337d62cdd69e2f0977fbc17e69dfd0
RedLineStealer
2f5ea90c14a9eff6482a7c7c020b9a65faebf7a98af718a1e3c9a3b2356eb509
RedLineStealer
32a870968707205b82b21b74b8e7e295221dd3ef81a6ee67cab7cf5628c89f2d
RedLineStealer
9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4
RedLineStealer
ed786315c90cafc4e4b6fe237cebec8a8bd038b6203da8477d19ec8bbb9a09e4
RedLineStealer
ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868
RedLineStealer
f14f18ed96467a5005fd9bc67ff6b4a2c253a2438461880fff9d5cee2a26959d
RedLineStealer
+ 3'472 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1811 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211119-mgjhradba6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.216.168.100:38784
Unpacked files
SH256 hash:
32b581b32370d39e23c3ef09ee343ef0dd3c5b2a5a852da36d0ac5d4a943225c
MD5 hash:
230c4cbe02163550b3f7b0cf55697860
SHA1 hash:
9a14616eb3c594456c48bb19818f04c2f2ec4d2c
Link:
https://www.unpac.me/results/22eeb8ce-951a-4cfb-9208-2a9612c7e6ad/
SH256 hash:
77027babe298e46885e1d3182f5bc34a1ab6bd2ae07d902e4c868a1c092209a8
MD5 hash:
fdb7485913262b8efe6cbea8029a09b4
SHA1 hash:
8caa8a8a0e5efaea224d25e0fb877fc9e08a0c56
Link:
https://www.unpac.me/results/22eeb8ce-951a-4cfb-9208-2a9612c7e6ad/
SH256 hash:
6198042db49e0403f6c5dd514a596e186cd9780c35e80294bc727b509bf3f3d1
MD5 hash:
102658510d05e463f0afa0ecd5f3c8b5
SHA1 hash:
31b925feff6274124d2eb1ce5605d1ec321db045
Link:
https://www.unpac.me/results/22eeb8ce-951a-4cfb-9208-2a9612c7e6ad/
SH256 hash:
5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593
MD5 hash:
78195a28cd5575b9ce6a0239ca0784df
SHA1 hash:
24c68654cf43f5c1c8196a3ef060617f7abcc23c
Link:
https://www.unpac.me/results/22eeb8ce-951a-4cfb-9208-2a9612c7e6ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1800537/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207582/

Comments