MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
SHA3-384 hash:	d2049b4fc9b61cbd4b72af34b48120fefddc9120ed29a36effc71464eab333de0101c4998ae335e33ac5aa60f028025c
SHA1 hash:	ace1ee0cdef44a196177d7d9a404800baef59918
MD5 hash:	50fddc318d1e8d0f139f62cbf4f7de3d
humanhash:	spring-jupiter-freddie-bluebird
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	366'592 bytes
First seen:	2023-03-07 14:15:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7ca9aeb70e388366d4b49ad6e91f0c93 (9 x RedLineStealer, 2 x Smoke Loader, 1 x Stealc)
ssdeep	6144:NL6CsH5B3H5rUknIj3BpeHSTjItzQjQRmx/Y+Ia4eZ:NmCsH5x5fI7BpeHSjItzYQRiYNAZ
TLSH	T12B74F12276D0C437E6E709705434CBA51E7EB8362635928B7B782BB91F203D1AB76317
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	94cc8cb4b48c5912 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://91.215.85.15/doz.exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-07 14:17:32 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/9aa845fd-86d8-4154-a5fa-c486e878949b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/372308/

Detection(s):

Sanesecurity.Malware.28986.BadIN.UNOFFICIAL

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6407472386426ca5a86acdf9/reports/0fd8c55b-db8e-4df4-a84e-9b5d1d1ee604/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa693dca-0ca1-44a2-b37c-f7a2cc1857a3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189013

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-03-07 14:10:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=merl7e42ztxqjufm77huc7tpolwpbxdrh66ak6eub2xu4bgllp3a._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230307-rk5bvaac92/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

fe20253e6bcafed3a581e5269b6864d1fdf838983b0b4427bd9e4696ba3d1ffe

MD5 hash:

9297cc2bad28fe469640b35f8f9358a1

SHA1 hash:

b62081ed7e83a8721d5bf5df0d5ea9fdec2822e2

Detections:

redline

Link:

https://www.unpac.me/results/ffe99c4f-772f-4c90-8bf7-a3c7ba37e261/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca

MD5 hash:

9dc3abbfdcd1bb7cafb14a35b60d6713

SHA1 hash:

6aacaf8c94121006562f4a013283741340e99693

Detections:

redline

Link:

https://www.unpac.me/results/ffe99c4f-772f-4c90-8bf7-a3c7ba37e261/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696

MD5 hash:

bcc57bbabee21070c3b1c1c0d6549c1d

SHA1 hash:

374f18b741a610c8d532d793c52e2aae22fc7856

Link:

https://www.unpac.me/results/ffe99c4f-772f-4c90-8bf7-a3c7ba37e261/

SH256 hash:

6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6

MD5 hash:

50fddc318d1e8d0f139f62cbf4f7de3d

SHA1 hash:

ace1ee0cdef44a196177d7d9a404800baef59918

Link:

https://www.unpac.me/results/ffe99c4f-772f-4c90-8bf7-a3c7ba37e261/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6122bf939acc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/372308/

URLhaus

https://urlhaus.abuse.ch/url/2556788/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample