MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
SHA3-384 hash: fe3787b32d070a00619737f3cdacb23d3f4f52c5a3def509a3f437b52f25bd059543212be4a5a9ffd8cdc3c00e92f5a0
SHA1 hash: 94e33295639f263f0249be7c370d9ee81d1949a1
MD5 hash: c1c6070aa3fbca7937dd58081a60493b
humanhash: seven-winter-mars-tango
File name:c1c6070aa3fbca7937dd58081a60493b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:351'232 bytes
First seen:2023-07-22 20:22:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af40374e4a24e91ac811a859f25f2877 (1 x RedLineStealer)
ssdeep 6144:shl6oXbFH7mwiM6g2mQn9hDoYyBJdNt7BLPEFJM:KVXbdK5Nx19hDw3CJ
Threatray 166 similar samples on MalwareBazaar
TLSH T10E74F12237E1C072D57386701971C6A05A3FBC625B7545CB27A86ABE2F707C09E783A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0262222262408000 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c1c6070aa3fbca7937dd58081a60493b
Verdict:
Malicious activity
Analysis date:
2023-07-22 20:23:58 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/284c3446-9604-4645-a34e-94fc55355fb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/429334/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28360.26314.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64bc3aa642d86ce7e1080830/reports/2d40800e-e289-40c4-bcaa-8f78762a675b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/baaa941d-84ee-4ae1-8f24-672244f9f7d4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277824
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-22 20:23:05 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
22 of 25 (88.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7bxilim7j3ipjtu47zasf4muksq4cf2sy7t2covcvimuavqhuga._file
Verdict:
malicious
Similar samples:
0600905449ba9b91c459bb4cb2859d8b33062475fc568930c15931f7fba4e5b2
RedLineStealer
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
3585046470ceeba22fea4a341e6a1b8998d43b4a0a53450747ee361c0c56f770
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
aaf09dfbee099f00c96d0cc72a4d5c9ac8101522eb43159c7a94ebdc221f69d4
RedLineStealer
c17f2f54fc2cefba56ff8d26c44fd63d71a015ee621aead29b7ca9bb7a0cb856
RedLineStealer
cfb31b24488df4fe68b547bc9a28f994e67191749f8c76dc07a6f25f48475287
RedLineStealer
eed4aae9bac8170a1629ffc3176a04f0ea9e58de8cb295a1332952b6afb3cf46
RedLineStealer
f46b5b289501e88dc89c7d8daf37156459bcacebceaff3af7718190384546dbd
RedLineStealer
+ 156 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230722-y54z5scd6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
178.32.90.250:29608
Unpacked files
SH256 hash:
fe2e6f04b777ad58b3aa60f3ae725613f850cd7f33c1b5cf412b3834289eb4af
MD5 hash:
00981eed9a174d47add5c077be3ce7ab
SHA1 hash:
ff8a981a094b4c5cea1be6671ede01e1f1e6c5fb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cb51772f-904e-4524-ab2f-73d080e71bb5/
Parent samples :
5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927
SH256 hash:
72f33a98e88d0f17816c1ffdec17f74ed3b45582e7bfb9a7a97badde980a5583
MD5 hash:
c37db513789ef0b2e4cb7b5c613e2045
SHA1 hash:
fe22e822a3992e9e3fdb58d089b851a093c9a280
Link:
https://www.unpac.me/results/cb51772f-904e-4524-ab2f-73d080e71bb5/
SH256 hash:
95fd90ac54a23cc58162f72131d28c710e165286c3d42df4eec8a60a4cdc524b
MD5 hash:
741eb59c0a7d6e51ad6204088662709e
SHA1 hash:
d1270e8a99f43a1b1bcff9ee293472513c9db28e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cb51772f-904e-4524-ab2f-73d080e71bb5/
Parent samples :
5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927
SH256 hash:
d14a6bc260e69c17d5116aaf1550add0073a4530b12b74e5aff401cc7dae306d
MD5 hash:
d2f632d0f06158afdb609edc4cdce942
SHA1 hash:
adfa06207dc106a83b68bd958e5300874cc896cf
Link:
https://www.unpac.me/results/cb51772f-904e-4524-ab2f-73d080e71bb5/
SH256 hash:
5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
MD5 hash:
c1c6070aa3fbca7937dd58081a60493b
SHA1 hash:
94e33295639f263f0249be7c370d9ee81d1949a1
Link:
https://www.unpac.me/results/cb51772f-904e-4524-ab2f-73d080e71bb5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fc3742d0cfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
Cape
Cape
https://www.capesandbox.com/analysis/429334/

Comments


Avatar
zbet commented on 2023-07-22 20:22:35 UTC

url : hxxp://194.169.175.139:3003/file.exe