MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d63d1c4eb964d27d53d83b399b38ffad6609b204b8741e5626d4427cc7421af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d63d1c4eb964d27d53d83b399b38ffad6609b204b8741e5626d4427cc7421af
SHA3-384 hash: 4434469be55a727b09841002f2ab956eee3930a8cfbfcb4bc51893593c47afbba1f36e1326cd6c97994f7550ea27f394
SHA1 hash: 606a6e995b3754ff1494730242cf9fdf65936740
MD5 hash: ae4ac666d4c6073f23e078629ee01bba
humanhash: eighteen-may-ink-harry
File name:ae4ac666d4c6073f23e078629ee01bba.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:410'112 bytes
First seen:2021-03-10 09:49:16 UTC
Last seen:2021-03-10 11:53:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07c52af3a73be472fc8927397fca252e (1 x DanaBot, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 12288:ht4WJRwZgWOg2hv1XF2r8ha5WUnI0YlfH:hyWiZnO/FNs8GGl
Threatray 325 similar samples on MalwareBazaar
TLSH 0C94BF0DB790C434F5F712F45D7A93B8A5397AA1AB2450CF62E42AEE5734AE0AC31347
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://maiad.xyz/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2cad950cc1c4f5c7480a454f61399a36.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 08:37:54 UTC
Tags:
evasion trojan loader rat redline phishing stealer
Link:
https://app.any.run/tasks/af9c0b6e-dd09-4715-b9a9-5d0dec19eaa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123550/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.62636.22187.1209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/634137
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 18:37:01 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b3126faa1c9aefa49138147a91524c66e466f572dcac2e0121c53a187ccb076
RedLineStealer
3a77d697b35b9de741ac611c904aca942a17d4ac8f786f4f9b9532dec277a8f6
RedLineStealer
411c2e9854cd5405b206312a9645021c81b8ae0d1ed8c2752e67b17fd075a4d1
RedLineStealer
52f30ac40ae064c855d2dd8ae61b25884f405dd2b6747aebd592718d75d8aee9
RedLineStealer
877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731
RedLineStealer
94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
RedLineStealer
b3c2ed1edebee42767277652dbdb2c3c17c3b33707c975b1679e956658701825
RedLineStealer
bef5636daa6cccce3b38d8d284de1cb1ad2cfb36cbcaede1c8f7478e706f1201
RedLineStealer
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
RedLineStealer
e273f65f5eff32aa37c8e88a9cc825b4826eabc8b8e708d850a0b4a3bdd60b8a
RedLineStealer
+ 315 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/210310-p8pk34py8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
8b787e81251b3a70afc9f15d961820c20d3733c62ec78af6f4ace5b7f8017aa7
MD5 hash:
ed44fa199653624c13afb59549c0ccda
SHA1 hash:
eb434c6de5a3f4baba88582047d2894e8246f10e
Link:
https://www.unpac.me/results/9359ffc4-2ac2-4db6-8b4b-2b3a6a31a042/
SH256 hash:
18aa63b95b49a51df96e9e979ea6242d75d9f9edb22498af0a7fc992c55f0f14
MD5 hash:
cacd9f48af398d030a0e8bcc671d77b6
SHA1 hash:
b4fa5e84068dee34b25b1840115c87f9589104e9
Link:
https://www.unpac.me/results/9359ffc4-2ac2-4db6-8b4b-2b3a6a31a042/
SH256 hash:
e9d0f2612978d7ab0816adafb7780f2842087e78690e58ba9d584dcf3e788059
MD5 hash:
d0f467ceec55dc4e0f6a257b037cf4e5
SHA1 hash:
7130e7e0ae88cb1d7a0a385d0849d9756ae14ce7
Link:
https://www.unpac.me/results/9359ffc4-2ac2-4db6-8b4b-2b3a6a31a042/
SH256 hash:
5d63d1c4eb964d27d53d83b399b38ffad6609b204b8741e5626d4427cc7421af
MD5 hash:
ae4ac666d4c6073f23e078629ee01bba
SHA1 hash:
606a6e995b3754ff1494730242cf9fdf65936740
Link:
https://www.unpac.me/results/9359ffc4-2ac2-4db6-8b4b-2b3a6a31a042/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d63d1c4eb964d27d53d83b399b38ffad6609b204b8741e5626d4427cc7421af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5d63d1c4eb964d27d53d83b399b38ffad6609b204b8741e5626d4427cc7421af

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/123550/
  
URLhaus
https://urlhaus.abuse.ch/url/1056715/
  
Delivery method
Distributed via web download

Comments