MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2
SHA3-384 hash: 48bb1d457f6de886302cbacfbf16ae24585113b779e6f3fc475ccb8221a22eb850df6ee167f33248daf5f3cd52b1a4ec
SHA1 hash: 784ab9f1879c644da28f4e3cb4887e95643e6378
MD5 hash: 3964cb1d8a56fcbf13e286e8fe94f6f6
humanhash: idaho-fillet-nine-virginia
File name:3964cb1d8a56fcbf13e286e8fe94f6f6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:428'544 bytes
First seen:2021-06-26 07:14:59 UTC
Last seen:2021-06-26 07:41:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a891687ee9846e9d6ffccd45a4930df (2 x FickerStealer, 1 x Glupteba, 1 x RedLineStealer)
ssdeep 6144:fvfi6WeA0UXodEGbxbBSdIewQbkmRLKVeMCtO/KJs7Z3Wp0ZlZDqEk:Pi6WeA0UDkxb3VD4aktOiJs70cfOE
Threatray 945 similar samples on MalwareBazaar
TLSH F794AD11EAA1C034F1F302F89A7593BC953E7AB15B6450CB12D4EAEE4A346E2ED31717
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3964cb1d8a56fcbf13e286e8fe94f6f6.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 07:15:39 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/a2a8bece-48d6-478c-85a7-bb713ccca9e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168435/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.6682.5956.8038.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e81b719-ef49-41a7-b327-44df5fc53370
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808406
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 07:15:12 UTC
AV detection:
32 of 46 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqmrifg2a2mgauexx3dh67detqsl2f3m3noan6b4uij3rmct2tza._file
Verdict:
malicious
Similar samples:
0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138
RedLineStealer
381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3
RedLineStealer
3ce3b3c69c51579cfcdfdcd19aab403d8a6b53c5c659ca8aaca5123ef5992eee
RedLineStealer
6117422892b290bd26bde0e3e1e496451c83d276d098336db9d32dea86c16790
RedLineStealer
b13c2ba022b6d82bc66dd7cc64e6cf5cc2e799615dd2aaeeeb345452e1331b68
RedLineStealer
c1bf7b86768806a3689e4f14be7e98a192bd48d8ac045ba71ec9b3b27b1fdfda
RedLineStealer
c2043307c84de161f91db255e23fef39870d3fe1f6d360a02054c7ea98a35ba8
RedLineStealer
f02ed3a78211bd9b91772d2a297e6b34a8171627b0c78b88575ff03c40b70b72
RedLineStealer
fbef875f61027e592a684c32ff682b80d94e95966c42f73a4a04893f876513a7
RedLineStealer
ff43e5ff78c057004608c0595a0d39e06e41ef09ce5be9120eff598a6782c522
RedLineStealer
+ 935 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pudt discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210626-6snx1kvg42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
Unpacked files
SH256 hash:
d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c
MD5 hash:
cb5fc5dd3ba9fdd7af4b8eecf33f77d5
SHA1 hash:
d2bf6ecc946301c58381a88bf12d74204314b7e8
Link:
https://www.unpac.me/results/753a9757-a9df-48b8-b000-8d6ea834ea1a/
SH256 hash:
a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e
MD5 hash:
651e96a0d52076aa5ed2d82739b5c9b1
SHA1 hash:
b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09
Link:
https://www.unpac.me/results/753a9757-a9df-48b8-b000-8d6ea834ea1a/
SH256 hash:
e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1
MD5 hash:
d73b577cdc3854b7ba4b09f17a84e1db
SHA1 hash:
0b60823181914658cc07e8629fc9b5ddfcdf1fee
Link:
https://www.unpac.me/results/753a9757-a9df-48b8-b000-8d6ea834ea1a/
SH256 hash:
5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2
MD5 hash:
3964cb1d8a56fcbf13e286e8fe94f6f6
SHA1 hash:
784ab9f1879c644da28f4e3cb4887e95643e6378
Link:
https://www.unpac.me/results/753a9757-a9df-48b8-b000-8d6ea834ea1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/168435/
  
URLhaus
https://urlhaus.abuse.ch/url/1394014/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393122/

Comments