MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d
SHA3-384 hash:	a66ef6fa08c3ceff226ed3f1f6131e958bafb8797d609318df906d10743bf12ac5a093a75a792293ee32217260da7dfd
SHA1 hash:	48cdab04af8f1ae273f7d39e9609748c6405f0bf
MD5 hash:	a5482604452bdc0fbbb566c3b63c2128
humanhash:	arizona-solar-delaware-mexico
File name:	a5482604452bdc0fbbb566c3b63c2128.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	394'240 bytes
First seen:	2021-10-12 08:52:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cb6ad1e5a39414958a5cebe210525a01 (5 x RedLineStealer, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep	12288:lAOcu/K495LLE/Zkle0rs5aDXRC24iVQ:6ONjPEMMaDI
Threatray	1'541 similar samples on MalwareBazaar
TLSH	T10184AF10A7A0C035F1F356F85ABA9368A93E7AA0AB2490CF53D516ED4774AE5FC30317
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a5482604452bdc0fbbb566c3b63c2128.exe

Verdict:

Malicious activity

Analysis date:

2021-10-12 09:20:40 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e66b2b10-7827-43b2-9b36-b373c03274ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/196853/

Detection(s):

Win.Malware.Generic-9901710-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61654cf0fd35fe780c3a32e8/reports/4f0dfcd0-7802-414e-bfe9-ffaae6107a44/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d325a3d0-c6b6-4336-8d12-9c90556af01a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868451

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-10-11 22:10:40 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mfjlrezisshcftnkpq2aisn3c4x36turtqc52owiinrou77mmv6q._file

Verdict:

malicious

RedLineStealer

4922891e6b053807054a0c672b1c32ac287e9784200da2d6d75ef5c124da366e

RedLineStealer

4a79bdb6cd4aa22e5a56ad766f1b0dd5e5d6d1b19ec2a42b6195f29afe943e88

RedLineStealer

4ac4e8328d428626cc0c25364a669c704d316000ad3da748c0a666a815838eb7

RedLineStealer

631cdb7b1c8fc0bd47541973f9b3769ab77dfd97e3a2a594757a8b7bab23cbd3

RedLineStealer

8e2498decf8c6a639d6f72f7e6221b0a8538ffc61b8f454806c7e36fe2b90eb4

RedLineStealer

98d46fad42062e453d5b8dbcc1fa0173fef88c3d9d777fad9a604cb3fd30fb8c

RedLineStealer

9ebd2db021e7423ea13def07da2e9fe74828d065efefdff99452520af41d725b

RedLineStealer

be1de91728d9c2739c8054b7c8c8ddabb10e49c638ebe6fd17ceb6b1faf636d7

RedLineStealer

e6bb834ea37837d095580e6dd86152e5d200a5810018f26a3ecb4b58de6a7b9e

RedLineStealer

+ 1'531 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix12.10 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211012-ktcjvsbhfr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:57055

Unpacked files

SH256 hash:

26965ce13906416c7c92bd57158174a56aacf29214615c921a63381e930000ce

MD5 hash:

e9f26f06ae09440d28957fd0b7028f33

SHA1 hash:

aea1c63e6bbccc6919fb6febbc685e2b7bc41e14

Link:

https://www.unpac.me/results/944550c4-be09-4c83-bf5a-dfff8d25aa47/

SH256 hash:

5b90d643f444b03825232c09d4c067d3a10cf4b16332676842f1164430b80da1

MD5 hash:

6b40515524058c4f74945d0d6459cd9e

SHA1 hash:

8b5c4737f42717164e9b398d8c5fa9a460908963

Link:

https://www.unpac.me/results/944550c4-be09-4c83-bf5a-dfff8d25aa47/

SH256 hash:

ea26ead8ad0ff2b0a9db2f953318ea1386608a00822c289fa6d149e994c53d9c

MD5 hash:

58881b7f67bf40db80f8de105e22d28b

SHA1 hash:

7c3e5a35463ec42c10e4a601f45cbbcadd3063ab

Link:

https://www.unpac.me/results/944550c4-be09-4c83-bf5a-dfff8d25aa47/

SH256 hash:

6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d

MD5 hash:

a5482604452bdc0fbbb566c3b63c2128

SHA1 hash:

48cdab04af8f1ae273f7d39e9609748c6405f0bf

Link:

https://www.unpac.me/results/944550c4-be09-4c83-bf5a-dfff8d25aa47/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6152b8932894/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1663299/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/196853/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample