MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments 1

SHA256 hash:	5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7
SHA3-384 hash:	be9716ebbafb368595a04c9c6b6e1ffcb0c0a6bc9112e78023003ee709dff1f9e9ac55909cda8666a27cd2f0faef1258
SHA1 hash:	896f4d44af049f146a352c4878ccc8eaa72c640a
MD5 hash:	5268264a61103d13b13afc16f6ddb4af
humanhash:	cola-angel-edward-fourteen
File name:	5268264a61103d13b13afc16f6ddb4af
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	946'514 bytes
First seen:	2021-09-13 22:03:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep	24576:F20gPgFK0ZRV1QxAVBbIcXLaEJiMPSjTM8Lzr2:8K9RwxAjIELtzSM8q
Threatray	154 similar samples on MalwareBazaar
TLSH	T16615022278D1C071DC3278F059A8C322DAB5BD325A71564BFBB13B592A71993CE1A70F
dhash icon	1c06b7b5b547330f (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5268264a61103d13b13afc16f6ddb4af

Verdict:

Malicious activity

Analysis date:

2021-09-13 22:04:22 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/a8c5c4dc-1443-4228-bc64-3811b32522fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/187589/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Moving a recently created file

Deleting a recently created file

Self-deleting of the BAT file

Launching a process

Using the Windows Management Instrumentation requests

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Launching a service

DNS request

Creating a file in the %temp% directory

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Launching a tool to kill processes

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/6175062bdb358dd15ed91dbc/reports/079653d4-2e5c-49a1-80bf-6507c27760f1/overview

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f8fbf24-f413-4385-b520-7bc301ef071e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850202

Signature

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7/

Threat name:

Win32.Backdoor.Quakbot

Status:

Suspicious

First seen:

2021-09-13 22:04:06 UTC

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=loxpyv5osyhuc52vv4nfyc3wwmysxy2j3vu4h7okw5rqe4fnpp3q._file

Verdict:

malicious

RedLineStealer

390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf

RedLineStealer

4da1e9b11e61a8f2633da08aa63bb869e7130d04b15d06a81db1047f687ebcc5

RedLineStealer

9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875

RedLineStealer

cb8bd17e49390c51c71aeb5176fabd5c0dcef8aca83c7dce4af0b3e378c2e5ee

RedLineStealer

+ 144 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:newaqq discovery evasion infostealer spyware stealer

Link:

https://tria.ge/reports/210913-1yxzcsedh8/

Behaviour

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Sets file to hidden

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.107:61144

Unpacked files

SH256 hash:

5afe9dddd94d74947dbeb7c1f7f51ebc42cbf341ddb1c2a1bda6ee2db71614bd

MD5 hash:

dd2df9fd8cbd4e3ba2941a59f07de846

SHA1 hash:

f588e70c32fcea64db8668093d4b47e5f191e16d

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

SH256 hash:

4176a463a08e43048de2ec1e7a79c9b2f6de42a58aeb598dc53b3292481cb220

MD5 hash:

d6e99bb80317bac2a230c3770ec0d44b

SHA1 hash:

aeaa39a01c5b84156ce01ea0989fe51cf7717014

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

SH256 hash:

20563cbcbc35102c982e4bbc04be2a460ba6ead16d65f874afbdb4b20ed8c21a

MD5 hash:

bfcc4623414b32ebc8930b9d5754320a

SHA1 hash:

a03fa16f90de03ea4b59d11638edd1d0b8a1ebe6

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

SH256 hash:

c26e36640483841e2ffea0614195f9f140a50e2fd9bf9a4d10f445b1bda145e2

MD5 hash:

7d6070ae80370bb231e79ebcd8d644f7

SHA1 hash:

effe0c39eec8e50930cd53351de6e45b5b44ee2d

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

SH256 hash:

b2e088eb4bfeecf74f33f4100b1930389e1f5224d00807167d29e92b54c1667d

MD5 hash:

9bd44aeb573ce2d914ec8a5c76b13089

SHA1 hash:

2064c8f1b85c7ebb1d8d864df6b02b700c79f77f

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

SH256 hash:

5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7

MD5 hash:

5268264a61103d13b13afc16f6ddb4af

SHA1 hash:

896f4d44af049f146a352c4878ccc8eaa72c640a

Link:

https://www.unpac.me/results/047d2a19-c62a-4ac2-a618-4cc61ae1f97d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5baefc57ae96/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.