MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761
SHA3-384 hash: 51a5822b7bc0f01710a9d91ab47da0acef4aa576dea68ab5db3db989f25ab524e4f1de00414e404b807ce4d287bfc330
SHA1 hash: f006364ac70e9a586e18a0290722cbde8d072346
MD5 hash: a01007b72d091290011fe9093ae6984a
humanhash: football-six-blue-mirror
File name:a01007b72d091290011fe9093ae6984a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'683'328 bytes
First seen:2022-02-02 04:26:20 UTC
Last seen:2022-02-02 06:10:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 98304:pvk97K7UzYn4CT9nwdPBN7bfcQ9XmdkebaS/Gx12K:Je7K7/n4gUPrbfrXj7S/Gx1t
Threatray 471 similar samples on MalwareBazaar
TLSH T12B063326A3F5F08DE38F517013280725CBD5C97936529AE8FBABF2C61B30B09BD56245
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.59.131:7171

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.131:7171 https://threatfox.abuse.ch/ioc/374000/

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a01007b72d091290011fe9093ae6984a.exe
Verdict:
Malicious activity
Analysis date:
2022-02-02 04:39:54 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/883e871b-1663-4530-91e8-b17098778e02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229705/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon
Link:
https://www.filescan.io/uploads/61fa08196d25ac9e79f9d235/reports/fa2cbaab-986a-49ab-b65f-67a4b59c66b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc5c2732-e834-4c68-bea9-49c72dd7c0e8
Result
Threat name:
MicroClip RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933075
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found malware configuration
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: File Created with System Process Name
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 565552 Sample: YKwLQVIqai.exe Startdate: 03/02/2022 Architecture: WINDOWS Score: 100 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 14 other signatures 2->117 11 YKwLQVIqai.exe 2->11         started        14 0MD2Ej47v7MOT4DNj79eM4go4OVgp3.exe 2->14         started        process3 file4 139 Writes to foreign memory regions 11->139 141 Allocates memory in foreign processes 11->141 143 Injects a PE file into a foreign processes 11->143 17 AppLaunch.exe 15 7 11->17         started        22 WerFault.exe 23 9 11->22         started        24 WerFault.exe 2 9 11->24         started        26 WerFault.exe 9 11->26         started        105 C:\...\v8TPUW6VkQadH4YO5aQqs3CUSicjjV.exe, PE32+ 14->105 dropped 145 Multi AV Scanner detection for dropped file 14->145 signatures5 process6 dnsIp7 107 91.243.59.131, 49763, 7171 MATTEOGB Russian Federation 17->107 109 cdn.discordapp.com 162.159.133.233, 443, 49781 CLOUDFLARENETUS United States 17->109 81 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 17->81 dropped 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->121 123 Tries to harvest and steal browser information (history, passwords, etc) 17->123 125 Tries to steal Crypto Currency Wallets 17->125 28 WindowsDefender.exe 3 17->28         started        83 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->83 dropped 85 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->85 dropped 87 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->87 dropped file8 signatures9 process10 file11 99 C:\Users\user\RuntimeBroker.exe, PE32+ 28->99 dropped 101 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 28->101 dropped 103 C:\Users\user\AppData\Local\Temp\Java.exe, PE32+ 28->103 dropped 147 Antivirus detection for dropped file 28->147 149 Multi AV Scanner detection for dropped file 28->149 151 Drops PE files to the user root directory 28->151 153 Adds a directory exclusion to Windows Defender 28->153 32 cmd.exe 28->32         started        34 cmd.exe 28->34         started        36 cmd.exe 1 28->36         started        39 cmd.exe 28->39         started        signatures12 process13 signatures14 41 paint.exe 32->41         started        45 conhost.exe 32->45         started        47 Java.exe 34->47         started        49 conhost.exe 34->49         started        127 Bypasses PowerShell execution policy 36->127 129 Adds a directory exclusion to Windows Defender 36->129 51 powershell.exe 22 36->51         started        53 conhost.exe 36->53         started        55 powershell.exe 36->55         started        57 RuntimeBroker.exe 39->57         started        59 conhost.exe 39->59         started        process15 file16 89 C:\Users\user\AppData\Local\...\manifest.json, ASCII 41->89 dropped 91 C:\Users\user\AppData\Local\...\icon128.png, PNG 41->91 dropped 93 C:\Users\user\AppData\Local\...\background.js, ASCII 41->93 dropped 97 3 other files (2 malicious) 41->97 dropped 131 Multi AV Scanner detection for dropped file 41->131 133 Tries to harvest and steal browser information (history, passwords, etc) 41->133 61 cmd.exe 41->61         started        63 cmd.exe 41->63         started        65 cmd.exe 41->65         started        67 2 other processes 41->67 135 Detected unpacking (changes PE section rights) 47->135 137 Machine Learning detection for dropped file 47->137 95 C:\...\0MD2Ej47v7MOT4DNj79eM4go4OVgp3.exe, PE32+ 57->95 dropped signatures17 process18 process19 69 conhost.exe 61->69         started        71 taskkill.exe 61->71         started        73 conhost.exe 63->73         started        75 taskkill.exe 63->75         started        77 powershell.exe 65->77         started        79 taskkill.exe 67->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-31 04:01:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lo3btvvgjp3xhtfgssd7qvzqfyjzi5lmdptpzbzshwltvfzp65qq._file
Verdict:
malicious
Similar samples:
3ed3b03c36265ddffd8382859b7545cec6955331f85907018adc4bacde22e70e
RedLineStealer
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
RedLineStealer
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
RedLineStealer
673624ae9081ef97c65a9c68991174eca697485696fbba681e9c6981adbd09ec
RedLineStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
RedLineStealer
8d59b88d0b88becf9f74354310db278563eb469ecf535146dc0a1f2c0d79de53
RedLineStealer
d6c6604e4081f2de1edb2ce716ddcc8186f252ca1babc641b83e77fdf14fca7b
RedLineStealer
+ 461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220202-e24enagcb7/
Unpacked files
SH256 hash:
8cfe11bc609a13c7c3916bfa4915295fe49983d9f225b7a42f32c77726db6211
MD5 hash:
22e95e8caadbc89145d93e132f7c4f94
SHA1 hash:
eeb66d47b4b8a8e071e558231dbe36ccd888dc17
Link:
https://www.unpac.me/results/472202e3-363e-4f67-999f-2045cbd73c15/
SH256 hash:
5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761
MD5 hash:
a01007b72d091290011fe9093ae6984a
SHA1 hash:
f006364ac70e9a586e18a0290722cbde8d072346
Link:
https://www.unpac.me/results/472202e3-363e-4f67-999f-2045cbd73c15/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5bb619d6a64b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5bb619d6a64bf773cca69487f857302e1394756c1be6fc87323d973a972ff761

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229705/

Comments