MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da
SHA3-384 hash: 3a8923f885f8c19b4562a3ebb07f2d2115e0ca9302bc05424da394fc217d4bccf2b319c09011f5ac13f7215ef3306d30
SHA1 hash: 92d25efa4eab7588a5b4301f14b6d20913b6badc
MD5 hash: 8f584186277856e76a67c56cd018ae24
humanhash: glucose-princess-wolfram-happy
File name:8f584186277856e76a67c56cd018ae24
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'240'064 bytes
First seen:2021-06-28 06:39:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:sXEkX+Gzdeka6cjbikDKXKYTjsXLxU4gtr:OFvpuLYTcCXF
Threatray 1'018 similar samples on MalwareBazaar
TLSH 354529D3E7A25C02D2B71B3DC9D9A3347E69AE82151F4E1D20BDF6C60522502FB50F9A
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.158.115.170:14088 https://threatfox.abuse.ch/ioc/154585/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9872C5836F6267C8A7A0355AF11FD10F.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 02:46:14 UTC
Tags:
trojan amadey opendir loader bitrat rat redline stealer
Link:
https://app.any.run/tasks/0a16ea11-b3af-41cd-af9e-119d573c756e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168532/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37148871.31594.27928.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cc4bb93-3b44-484b-b60f-dc4f1fdbbba6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/808690
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 16:47:09 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5zx6g22scafne42hkat3nhnmu5yq7com76bt6vzzvzkti6hjdna._file
Verdict:
malicious
Similar samples:
1cc84d3c06c9a283218310ac6d69e7161fd7605339b78035747c6f51021475ff
RedLineStealer
4dc35908a0885511857ea610a559c4aebe99231ba8493e95885512f0f98293ed
RedLineStealer
5a990dc0fd270a6db7f4089bf63dbc1584038e00c6e2acd48e959b6e6fc06dfc
RedLineStealer
69a34116377032442c113adb0490c641f4af86b04fb8a2027f094d3678674915
RedLineStealer
8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4
RedLineStealer
84243ed89d2df4bf4299db31c40259766f2299c821bb8ca5f76629da44ef07c7
RedLineStealer
8d46b6ae4ba66360d4bc8be70090cba933a62d31bcabcdc40f86de26eda98160
RedLineStealer
8e395f386862d95d1a2837a56ffac8ec6a8dacd3e61fac1912f1960ada8c5abd
RedLineStealer
a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133
RedLineStealer
dc1a540149dffb968cc641f1770ffb45aaa29f23cd5e19483c474a71cc1737da
RedLineStealer
+ 1'008 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210628-e3rjffsvae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.158.115.170:14088
Unpacked files
SH256 hash:
2b923dc2cc4fae623c9e526dc52b3fa90d48c9839582830d8e3c5cc14029e7ea
MD5 hash:
73eea71989305655123bc2f6ac09b4e8
SHA1 hash:
a90446028ba1d4dc5d2d2da5c2c4c3f231347d83
Link:
https://www.unpac.me/results/a73dd3ff-2de9-4544-be0d-ce0366d8d176/
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/a73dd3ff-2de9-4544-be0d-ce0366d8d176/
SH256 hash:
cf436139f8f25b4fbe66c74395a67a1d27d70b0a45a7742225a075ba18743fa8
MD5 hash:
6d15de487fc729edea2d7af4a18cf0b6
SHA1 hash:
eaf65f2a8490cb16124680c66a616067d38b182f
Link:
https://www.unpac.me/results/a73dd3ff-2de9-4544-be0d-ce0366d8d176/
SH256 hash:
5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da
MD5 hash:
8f584186277856e76a67c56cd018ae24
SHA1 hash:
92d25efa4eab7588a5b4301f14b6d20913b6badc
Link:
https://www.unpac.me/results/a73dd3ff-2de9-4544-be0d-ce0366d8d176/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5f737f1b5a908056939a3a813db4ed653b887c4e67fc19fab9cd72a9a3c748da

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168532/
  
URLhaus
https://urlhaus.abuse.ch/url/1406309/

Comments