MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
SHA3-384 hash: a723829f63e7e8c8e0d5581536c61e8d78e227ca044080330902b26cb0905f3955b8668276bbec3cfb193434fc36e9de
SHA1 hash: 1b02d050cc574cd8354f2dcb5de4e64466be8e8d
MD5 hash: 24fbb160ccad6b035b0ed7e1070f820f
humanhash: tennessee-mirror-december-thirteen
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:907'810 bytes
First seen:2024-09-12 06:22:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:0NA3R5drX/W50Fubje9k0jHOB8nDFQXi7hQH2:V5Ou0YkAHOi0i7hQW
TLSH T16E151202F9C2C8B2D62219314A19AB56657C7E201F24CFAFF3D86D6DD8390D17625BB3
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/lopsa/66e27cc59b93f_111.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-12 06:25:21 UTC
Tags:
stealer metastealer redline netreactor
Link:
https://app.any.run/tasks/d8c29afa-a03a-4664-9551-250d734e84ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Redline-10009299-0
Create hunting rule

Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e288c876bc4542b0497bde
Tags:
Encryption Generic Infostealer Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Adding a root certificate
Changing a file
Connection attempt
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc installer microsoft_visual_cc redline sfx
Link:
https://www.filescan.io/uploads/66e288c7a9c26f9f5f25f1e0/reports/c03b2ccb-c294-4c9b-af24-6749631f1584/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7ab5132-5a3c-4abe-bce4-c9beff1bdd0e
Result
Threat name:
PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1509865
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1509865 Sample: file.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 7 file.exe 6 2->7         started        process3 file4 24 C:\Windows\Temp\2.exe, PE32 7->24 dropped 26 C:\Windows\Temp\1.exe, PE32 7->26 dropped 10 1.exe 2 7->10         started        13 2.exe 5 27 7->13         started        process5 dnsIp6 50 Antivirus detection for dropped file 10->50 52 Multi AV Scanner detection for dropped file 10->52 54 Contains functionality to inject code into remote processes 10->54 62 3 other signatures 10->62 16 RegAsm.exe 6 24 10->16         started        20 RegAsm.exe 10->20         started        22 conhost.exe 10->22         started        30 107.189.171.131, 14307, 49731 IOFLOODUS United States 13->30 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->56 58 Machine Learning detection for dropped file 13->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 13->60 64 2 other signatures 13->64 signatures7 process8 dnsIp9 28 185.203.241.68, 40901, 49730 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 16->28 32 Installs new ROOT certificates 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 36 Tries to steal Crypto Currency Wallets 16->36 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->38 40 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->40 signatures10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 06:23:05 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3zg66kse3s7buurt4ngeaarhfmf2dngiuyoeclw3omhs2k4egda._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) credential_access discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240912-g5gfeavhpe/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.203.241.68:40901
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/823e3bd7-1a0d-45d6-8e3a-74724cdfe8ee
Unpacked files
SH256 hash:
da2bc836ff4d30ddefd75a1031e9d35607134527b458fc4628f3f02bf0973d1b
MD5 hash:
02494a7f7c0ec5d64ba4df1f08ed9335
SHA1 hash:
8a78a54a1a5b0744d59d86fd67e8c1097b19bf37
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
Parent samples :
2ec15fc6c4dfa14162599fd7d46a8c513280ab7dc3a2bb5d7d279f7a10a96697
5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070
a094b0cc4ae679c7cc50aaea4a59d08fb7db868148c7d0e79baf831d34d6171d
95e3b81574e6cbbd2efa792b1d4aadf9acfd6514e469b1e15eae7988f050cf2e
SH256 hash:
0d46b3f1b81d0d759f747e16ddd0dd28f8d0a35541c73bb73ed901a1429bf4db
MD5 hash:
e04eeb438d800e868172948cdd2f1d0c
SHA1 hash:
104f0747e679e89827d513dc2b17f645336d5ba1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
Parent samples :
2ec15fc6c4dfa14162599fd7d46a8c513280ab7dc3a2bb5d7d279f7a10a96697
5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070
a094b0cc4ae679c7cc50aaea4a59d08fb7db868148c7d0e79baf831d34d6171d
95e3b81574e6cbbd2efa792b1d4aadf9acfd6514e469b1e15eae7988f050cf2e
SH256 hash:
51fcd2ccc20e6eee7a4b5957aa26aad05005008215aa2ae418534a0d08c19a4e
MD5 hash:
1bc58c678d268297a69d05378f6543c9
SHA1 hash:
0eadec95966b5717245960006df2e004303810a5
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
Parent samples :
f3d5417adab3fcf3d8f70ed37e7acef0b677ab7907122c7900133ebfa00d8458
5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
4ed6d72fef68c583439e803871226e76588ce6436d10362011b21763e0ccf176
SH256 hash:
4a6b7397175103c7917de130fcde42cfe7b19d5a9ceee6869ccf3cd461268ede
MD5 hash:
f12880a5ed9bf9a474e56365d2836f1a
SHA1 hash:
71a38ccbff7eee2332bc884f255c9fc6d69c64f2
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
Parent samples :
2ec15fc6c4dfa14162599fd7d46a8c513280ab7dc3a2bb5d7d279f7a10a96697
5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070
a094b0cc4ae679c7cc50aaea4a59d08fb7db868148c7d0e79baf831d34d6171d
95e3b81574e6cbbd2efa792b1d4aadf9acfd6514e469b1e15eae7988f050cf2e
SH256 hash:
f3d5417adab3fcf3d8f70ed37e7acef0b677ab7907122c7900133ebfa00d8458
MD5 hash:
ab06af28eabd848a572023a76ce875ac
SHA1 hash:
80a6338acd08b1c52b008179ed1c43fa6892fac5
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
SH256 hash:
5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186
MD5 hash:
24fbb160ccad6b035b0ed7e1070f820f
SHA1 hash:
1b02d050cc574cd8354f2dcb5de4e64466be8e8d
Link:
https://www.unpac.me/results/399dcee6-198f-4a22-81ef-d2b278b32c1d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ef26f795226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5ef26f795226e5f0d2919f1a62001139585d0da64530e20976db9879695c2186

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3168349/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments