MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60974f5d63c5b3f74654b4703bf1a7b56662e016ff184f675da1a78ac96c7b16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 3 File information Comments

SHA256 hash:	60974f5d63c5b3f74654b4703bf1a7b56662e016ff184f675da1a78ac96c7b16
SHA3-384 hash:	69bbbd16a0d9590416ea75ee4cc8a2bb97f9def25eebe02f229845be9ea17552aa19953ec9bfafc4536e3ccb4016f936
SHA1 hash:	abc1fd2eda12ea13dce39eeb7b695e70b4cac145
MD5 hash:	e9a4f34e8ae18813cd5391c264a66e45
humanhash:	april-autumn-eleven-bluebird
File name:	60974F5D63C5B3F74654B4703BF1A7B56662E016FF184.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'437'656 bytes
First seen:	2022-09-10 11:55:31 UTC
Last seen:	2022-09-10 12:52:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:Q1GEXEZXOYPYCfy0GmoMkXdLeF2bVRbRfIR5tegepbjLh3RLu:Q1ZEZ2gu2R+bjLh3RC
TLSH	T14B655C2AEB0619B4DA23577185DEEB7B97147A248032EF3BFF4BEA0CA4331136C55152
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10523/12/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.217.55.221:25921

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.217.55.221:25921	https://threatfox.abuse.ch/ioc/848953/

Intelligence

File Origin

# of uploads :

# of downloads :

560

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

60974F5D63C5B3F74654B4703BF1A7B56662E016FF184.exe

Verdict:

Malicious activity

Analysis date:

2022-09-10 11:58:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0270ddda-a9b0-4be7-8cfe-5e8062e1081d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309135/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32832.16722.25325.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37303/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed

Link:

https://www.filescan.io/uploads/631c7bd4a90642bcbbfb383b/reports/312ce470-04ec-4900-be4a-67f9e93397fd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Certishell

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1ce8de6-ec4f-45fb-9304-8b0c08b715a4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1068202

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60974f5d63c5b3f74654b4703bf1a7b56662e016ff184f675da1a78ac96c7b16/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-08-03 00:53:06 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mclu6xldywz7orsuwrydx4nhwvtgfyaw74me6z25ugtyvslmpmla._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:h infostealer spyware

Link:

https://tria.ge/reports/220910-n31jtsdgdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

95.217.55.221:25921

Unpacked files

SH256 hash:

78f0d8c2d65a503537f2c2de75c11b162e1795042efc7becd0f2da8dd899745e

MD5 hash:

3177136cd8b51a4205c3b7e9b162805e

SHA1 hash:

d8978646d8edfa2c11179d4599a4966c2132e0d6

Detections:

redline

Link:

https://www.unpac.me/results/06deb3cd-c79f-4245-8855-6ad58b28b408/

SH256 hash:

60974f5d63c5b3f74654b4703bf1a7b56662e016ff184f675da1a78ac96c7b16

MD5 hash:

e9a4f34e8ae18813cd5391c264a66e45

SHA1 hash:

abc1fd2eda12ea13dce39eeb7b695e70b4cac145

Link:

https://www.unpac.me/results/06deb3cd-c79f-4245-8855-6ad58b28b408/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60974f5d63c5b3f74654b4703bf1a7b56662e016ff184f675da1a78ac96c7b16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/309135/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample