MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 1 File information Comments

SHA256 hash:	5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264
SHA3-384 hash:	093bf0bba0fe43226e66a94c19414efb460bd79c15d3122987dc7b44a39dbbf3261d9bd548d00131cb0d9ebc67171891
SHA1 hash:	07eda466a42a4fb64eb7fe27fb76c9ad121b9ac2
MD5 hash:	aa26a124d3adbd9c237f6245d54355c7
humanhash:	two-batman-neptune-november
File name:	aa26a124d3adbd9c237f6245d54355c7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	283'648 bytes
First seen:	2022-09-20 17:55:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a22c0c2b6254602da7446f8e08ebf3ab (2 x RedLineStealer)
ssdeep	3072:d2ORg65+9aV8xDPpTbaA0noqJcjjWK0/degFi35oM8Gaa6nm0Cy4reVIfMdheBCC:ANZhtAoqcjWrbFi35CZa6mY4reVWohZ
TLSH	T14C5401017D44D072C015157288AED751AB69FC42AB325BC73B493FA9EE322C17EB678B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	7169c4cd68683576 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
46.18.107.225:6134

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
46.18.107.225:6134	https://threatfox.abuse.ch/ioc/850710/

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

aa26a124d3adbd9c237f6245d54355c7.exe

Verdict:

Malicious activity

Analysis date:

2022-09-20 17:59:16 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ff4b3f61-3b78-4986-b2b4-43a45af32046

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311791/

Detection(s):

Win.Packed.Crypterx-9954995-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6329ff73b333b2ec6b3aa918/reports/72f875af-9b2b-4821-8b4c-8fc3e6c6694f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2a3d600-3415-41b7-9fff-25f270238660

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073985

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-09-20 17:56:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 39 (74.36%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=l2tekjh4rbxwnvntvjjrdyw2utadhkncgecl72qifgypi2rg2jsa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:test discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220920-wh1yvshffn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

46.18.107.225:6134

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/882a1991-43d8-4490-b986-2e8c2554a6b6

Unpacked files

SH256 hash:

ff7f84b41f53c5595cfa327b7d883b0e3ebb8becfb433163d8ab29071d71c9e9

MD5 hash:

79fd3d0ebe5664a5c631b0d4bca4d2c8

SHA1 hash:

3ea6b61c5d47315d9e54cb834e2b25578686b2f6

Detections:

redline

Link:

https://www.unpac.me/results/f84b04dd-b590-4ea6-bb04-ffb811a1caeb/

Parent samples :

5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264
c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
1fda2d1c1c161e51b6ac01ce6503d62782493417339cb1304a07cbd6f2ff98ee

SH256 hash:

9e5877cf10e8c9c53bb13285efea8cd5f2af26912dabafea603cb217db0baa2f

MD5 hash:

900d22f7b7b4f0dbbf9d87cbe891ad26

SHA1 hash:

2f8a158e41a79e53b9ce098bb96628935d138310

Detections:

redline

Link:

https://www.unpac.me/results/f84b04dd-b590-4ea6-bb04-ffb811a1caeb/

Parent samples :

5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264
cc04d694f64cf0c0e875c279d0aca58c18fe6796dfd94282b61039d400126900
c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
c0908595a7264db050cdfc6067b6193935fa95812ea93d0a167748f6e34149a7
4be839ef16079be8c184fae241e067b607860f60c7cc45f4de438f0ab1ec722e
1fda2d1c1c161e51b6ac01ce6503d62782493417339cb1304a07cbd6f2ff98ee

SH256 hash:

6ba18a4f251b96bb823f69cf406c33884c3b3181cd6699ebe20b60bec9353710

MD5 hash:

f9a16926a9dba3eef68f91638ac07503

SHA1 hash:

2297b493540960977f10414799f6925595bfa7a7

Link:

https://www.unpac.me/results/f84b04dd-b590-4ea6-bb04-ffb811a1caeb/

SH256 hash:

5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264

MD5 hash:

aa26a124d3adbd9c237f6245d54355c7

SHA1 hash:

07eda466a42a4fb64eb7fe27fb76c9ad121b9ac2

Link:

https://www.unpac.me/results/f84b04dd-b590-4ea6-bb04-ffb811a1caeb/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5ea64524fc88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.