MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments 1

SHA256 hash:	6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
SHA3-384 hash:	42d34a7b74ef34e93b4540f1240e89a7a607262c8c7008cef0aa2c678d6e50b8f82e3b16a70319970aaacba170eea44a
SHA1 hash:	8f9ae2d5b18688a81de969a2746e5d1e6bb0d9b1
MD5 hash:	e2d4ff2d0f79d3b26b1c33bc3d3e984f
humanhash:	vermont-stairway-shade-princess
File name:	e2d4ff2d0f79d3b26b1c33bc3d3e984f
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	358'912 bytes
First seen:	2023-07-22 21:11:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bda7163eeb2431f046ba687ba9a660d5 (1 x RedLineStealer, 1 x GCleaner)
ssdeep	6144:iKnMahrSLFys2O5h0xUfx0OxlM5b8RMSb7IUny0:5nFNSLPh5z504ab3mo0
TLSH	T19B74E11173E0C077E5B355304970C3A02E7F7CA29B3599CB67982A3E2E716C1AEB9356
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	04c010a8c0884000 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

348

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e2d4ff2d0f79d3b26b1c33bc3d3e984f

Verdict:

Malicious activity

Analysis date:

2023-07-22 21:12:28 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/ba860d09-de1c-4e6f-882c-d9e0297e9199

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/429336/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.23857.16726.UNOFFICIAL

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29a22eed-aee1-4fc1-ad54-1fb75e1bf7f0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277829

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-07-22 21:12:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mecyc2belaxtfd4pnn5j5zpfls4k6yvaulqrirtrg3xf5kog6lmq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230722-z1573scb42/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

Unpacked files

SH256 hash:

fe2e6f04b777ad58b3aa60f3ae725613f850cd7f33c1b5cf412b3834289eb4af

MD5 hash:

00981eed9a174d47add5c077be3ce7ab

SHA1 hash:

ff8a981a094b4c5cea1be6671ede01e1f1e6c5fb

Detections:

redline

Link:

https://www.unpac.me/results/c7555a51-c03a-4215-95b9-e8908953bd3a/

Parent samples :

5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

SH256 hash:

72f33a98e88d0f17816c1ffdec17f74ed3b45582e7bfb9a7a97badde980a5583

MD5 hash:

c37db513789ef0b2e4cb7b5c613e2045

SHA1 hash:

fe22e822a3992e9e3fdb58d089b851a093c9a280

Link:

https://www.unpac.me/results/c7555a51-c03a-4215-95b9-e8908953bd3a/

SH256 hash:

95fd90ac54a23cc58162f72131d28c710e165286c3d42df4eec8a60a4cdc524b

MD5 hash:

741eb59c0a7d6e51ad6204088662709e

SHA1 hash:

d1270e8a99f43a1b1bcff9ee293472513c9db28e

Detections:

redline

Link:

https://www.unpac.me/results/c7555a51-c03a-4215-95b9-e8908953bd3a/

Parent samples :

SH256 hash:

d14a6bc260e69c17d5116aaf1550add0073a4530b12b74e5aff401cc7dae306d

MD5 hash:

d2f632d0f06158afdb609edc4cdce942

SHA1 hash:

adfa06207dc106a83b68bd958e5300874cc896cf

Link:

https://www.unpac.me/results/c7555a51-c03a-4215-95b9-e8908953bd3a/

SH256 hash:

6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9

MD5 hash:

e2d4ff2d0f79d3b26b1c33bc3d3e984f

SHA1 hash:

8f9ae2d5b18688a81de969a2746e5d1e6bb0d9b1

Link:

https://www.unpac.me/results/c7555a51-c03a-4215-95b9-e8908953bd3a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/610581682458/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/