MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c968f950d9caa92fd31a24e73cc563ccf65b8ab8761d3a63ea97a569b6ac05a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	5c968f950d9caa92fd31a24e73cc563ccf65b8ab8761d3a63ea97a569b6ac05a
SHA3-384 hash:	9e5c630ba8a64c2b46e974d193b68fd2465801473a5910d8e6f92f391526020bd68b242b0e2ade7deedf02a0981fa605
SHA1 hash:	9ac6db04fd013dd285e22c6ef44ffff8f8857bc0
MD5 hash:	6e565e1c7001191ad85b8f5ef5c00a01
humanhash:	lima-william-colorado-spaghetti
File name:	6e565e1c7001191ad85b8f5ef5c00a01.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	803'328 bytes
First seen:	2022-06-29 16:03:13 UTC
Last seen:	2022-07-14 06:25:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	064ab38fd632ba15d0a669e416a8b83f (2 x RedLineStealer)
ssdeep	6144:Sc9GRgNK7/Y0VUv/VPuR0f2t9FbJThpP6e59WmjbE9WJJP8PVtLHjBhPJN3v6AEg:68ys75P
Threatray	6'255 similar samples on MalwareBazaar
TLSH	T15C05FF9AB6E6174FEF6F593648333C32CF17C6A2DF431902464B875DB96BB840362198
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

DEpkclZoAzS2EQbMKsUNlJqm.exe

Verdict:

Malicious activity

Analysis date:

2022-06-30 11:31:02 UTC

Tags:

redline trojan rat

Link:

https://app.any.run/tasks/c5701985-f183-432c-b753-48cfbd8f4324

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/284304/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Searching for the window

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/62bc7805197c837506d16413/reports/741c2af7-962d-498f-ab61-cb0128935a14/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75f891f1-19ee-423b-9736-7b5c8daba524

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1022002

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c968f950d9caa92fd31a24e73cc563ccf65b8ab8761d3a63ea97a569b6ac05a/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2022-06-29 15:36:10 UTC

File Type:

PE (.Net Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lsli7fintsvjf7jrujhhhtcwhthwloflq5q5hjr6vf5fng3kybna._file

Verdict:

malicious

RedLineStealer

1894ee1e31d02ce95f3fb5bfaaeade0718232866702e70bd19a70a0a15a3343c

RedLineStealer

2986955a86572ace49ad3773a3e1ddb742ade6a5d0b09e9f4597bba2477a1465

RedLineStealer

407be6e232ecc77d57e7b3e184e3239e3c1b011b8915cc59cb9dd3b0f587aad7

RedLineStealer

44c6ed2ddb5e2077c153de0a299dcbff82ba1d2a9f304c0e4fed47496ba82af7

RedLineStealer

6c5699213a20df1786030e5322aa102a5b1a460891e8283e4348f3e66afc353c

RedLineStealer

733fe4cb3d56f7b42f3cdc17e305596a0137968ddf17f37f64ee951c316b9326

RedLineStealer

ddd8aa44e44b27ae1604042ccd9564ab5bc44d72b680293856057995f154cbc9

RedLineStealer

ee1cca8c757ee3dd610c9d6ea361610cca20f2b6369ed06ffbc3349f4a7f901a

RedLineStealer

+ 6'245 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:hija discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220629-thx6vscef3/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

jennerardar.xyz:80

Unpacked files

SH256 hash:

fcbd36705b3459041145daa7109564e1cc191cad5fa7d09e6aa3221f5eb7ede1

MD5 hash:

b2b1e074d0d997c6d69ea8a5fe39164d

SHA1 hash:

eda572ebe8652b60f144eb0a167133b57a666e1a

Link:

https://www.unpac.me/results/c52c54be-b955-4243-8a05-107fbf4a4896/

SH256 hash:

5c968f950d9caa92fd31a24e73cc563ccf65b8ab8761d3a63ea97a569b6ac05a

MD5 hash:

6e565e1c7001191ad85b8f5ef5c00a01

SHA1 hash:

9ac6db04fd013dd285e22c6ef44ffff8f8857bc0

Link:

https://www.unpac.me/results/c52c54be-b955-4243-8a05-107fbf4a4896/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5c968f950d9c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c968f950d9caa92fd31a24e73cc563ccf65b8ab8761d3a63ea97a569b6ac05a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/284304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample