MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9
SHA3-384 hash: 437d784226bdfb9bb7e1db0d062bfeeb4443a3ddf24a1d90b21e6772d8117879a0e43f1c91ef03ad1c73ac463cace35f
SHA1 hash: 79e8cd7fade23df54d1ed58b054b26ff55458325
MD5 hash: 15cbc959a158f60642dfcb392ca96c72
humanhash: emma-hawaii-muppet-orange
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:377'856 bytes
First seen:2023-07-12 07:50:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ef9b36848c22fc248776468fce46241 (3 x RedLineStealer, 1 x Fabookie, 1 x Amadey)
ssdeep 6144:hoqaLAp/cwYZJVdjZ7OAw0ubyazmVgvA1QdJlI6gba7Tj:hlaO/cwYZJVRROeuby8A1Qd/Iev
Threatray 113 similar samples on MalwareBazaar
TLSH T1FA844A63D2E27D51E926CA769E1EC7EC761EF2518F497B6D22189E1F04B01F2C263720
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000081241494800 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.136:3002/

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-12 07:52:54 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/c65bb43b-11c4-4abe-b36a-2467af3da66a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416609/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97257/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04c62767-70c1-4a4f-b83e-5d8d22071a08
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271508
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271508 Sample: file.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 8 other signatures 2->86 10 file.exe 15 7 2->10         started        15 MTA1.exe 2->15         started        17 AppLaunch.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 68 147.135.165.22, 17748, 49720 OVHFR France 10->68 70 transfer.sh 144.76.136.153, 443, 49722, 49723 HETZNER-ASDE Germany 10->70 58 C:\Users\user\AppData\Local\Temp\123123.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\Temp\123.exe, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->62 dropped 102 Detected unpacking (changes PE section rights) 10->102 104 Detected unpacking (overwrites its own PE header) 10->104 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->106 108 2 other signatures 10->108 21 123123.exe 10->21         started        24 123.exe 14 66 10->24         started        file5 signatures6 process7 dnsIp8 90 Multi AV Scanner detection for dropped file 21->90 92 Writes to foreign memory regions 21->92 94 Allocates memory in foreign processes 21->94 96 Injects a PE file into a foreign processes 21->96 27 AppLaunch.exe 2 26 21->27         started        66 127.0.0.1 unknown unknown 24->66 98 Machine Learning detection for dropped file 24->98 100 Tries to harvest and steal browser information (history, passwords, etc) 24->100 32 chrome.exe 24->32         started        signatures9 process10 dnsIp11 72 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 27->72 74 185.159.129.168, 49726, 80 ITOS-ASRU Russian Federation 27->74 64 C:\ProgramData\...\MTA1.exe, PE32 27->64 dropped 110 Suspicious powershell command line found 27->110 112 Creates an autostart registry key pointing to binary in C:\Windows 27->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 27->114 116 Adds a directory exclusion to Windows Defender 27->116 34 powershell.exe 13 27->34         started        37 schtasks.exe 1 27->37         started        39 powershell.exe 27->39         started        41 schtasks.exe 27->41         started        76 192.168.2.1 unknown unknown 32->76 43 chrome.exe 32->43         started        file12 signatures13 process14 dnsIp15 88 Adds a directory exclusion to Windows Defender 34->88 46 powershell.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 37->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        78 www.google.com 172.217.16.164, 443, 49733, 49734 GOOGLEUS United States 43->78 signatures16 process17 process18 56 conhost.exe 46->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 07:51:05 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfmnwohb4pua4dpsvivcwxikldkamttgtlehsrdluekehkfyqguq._file
Verdict:
malicious
Similar samples:
0053d1419ec04041f1603063f4e7c0a6a370025de08a0bb69897cd6c757f1bb0
RedLineStealer
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
3165f664c4c755bd9715a7f004b98f1990a2055aa1ca4ab8ea75bf2d7730dfcc
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
7518f251ed3872355b637119033fd40e900fdfcd2955425f243951f40279bcfd
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962
RedLineStealer
8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0
RedLineStealer
e4bb056a390bf88d2e2b2f578b5a4cbb6b4eb9d19a8f7998642bd46585bd99ec
RedLineStealer
e8d7197a7c6ba760b398ebe50fb5ca8770e454fca9da731438eb329b8db56c3d
RedLineStealer
+ 103 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230712-jptrxade31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
147.135.165.22:17748
Unpacked files
SH256 hash:
5dced280508f61d6b5a73eb478abb0f6d8165d239577d7d4bca2953019fbdd9a
MD5 hash:
d21174205d0df27c7ebaaec34b6d2e06
SHA1 hash:
efcd88425bc8580d5d881530bdd2abcc08f77715
Link:
https://www.unpac.me/results/fee6e402-1f01-449e-b176-e236e1915669/
SH256 hash:
d5264d0a59feabbab9333ff9af67ad8fa0281e88a3ece71710f116106f82346b
MD5 hash:
865d34909949f9bcee471da09ffe424c
SHA1 hash:
d2b47e54c1b5a747b59fead6c548a7465f5111c3
Link:
https://www.unpac.me/results/fee6e402-1f01-449e-b176-e236e1915669/
SH256 hash:
9fe6c8c1963ab952f1223e6286f61deb572910a858b697538901975030c58386
MD5 hash:
f8842e38a7d10714f0e4e61814c2d318
SHA1 hash:
bff1191f3197010f9536ed10a2f04edb31856bb4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fee6e402-1f01-449e-b176-e236e1915669/
Parent samples :
933376e38f0ef413916ab8cd713b9b44b57f152c7d2e9ecb4af5b514012925c3
8044914fef05ba9c7505662b3bc53edfb8a376cd0383d5f81d35a3797a9339da
61b5dc04ec8d88a18260a3dfe42344ec5630c6af7204246429ccf48b0dedaf5c
249ff8adcaf0914424769055cc293a3114a071fd260073de2455d6f501971aa2
6b78dfce3fe9f54b8af722e912304dc97b681ff6d9ff3d77e3007b446443ba26
12ec771c6e24cc918e07de4b2a7b8be06b74bf1bfb2a0dbe0efac09e24bb9403
d668ad781ee9b81de4e5da26889308f4f7c496f68cf9001862b7a9d1b5e16cf3
8e98ea41349271538cbad8c702e9db0aa752b6d9f63ab41cd15520a955db42fd
572e60bad91adcc0711b6c93408bc73812d05a7485b0f2a5125f4e3af19dcba0
152a044d6ead756bf25102941ae5347d21c1eee29811dff7ac86c216d430745b
8359a347a41ef75b7a1591d2bd81372d24e25aab079e08ab7185bdbb0948955c
6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9
ec0d3113557b7cc0d2d5123ac45922d40e34209fce8cfc2b665cf18cb34b691c
dc952defb4644f600950afcadd4e252a529ad737788a13f4a653fa2ed65e4f5c
d6cbeb563b46bd0ec0c779dd9f986ac65c6e8ee2ac28e7157af2db2533974da6
94e23d967addf03cbf052e8d346f875fb8320b0a5ebec4a3dd3e83f4b7616caa
74edab3b0ba41b9d02d35d1b4b5a5791990711920ad81a3b7bcaabfcc45c4c5a
83172a05a1bf277edad661d291cf26ed197ff9917a878e00d980e6748e3541a7
0bde9e8c209c4a3a4f09e02d127dadddb1c9a73b35166bf3c0812e69e6b1f068
e77ae5cb696891c9c81ec6c871261968ae12c334cd1d145c7f5f9e0115181dd5
239a4626ed96608fc7d5c5a84bd05cb547b222b103ca17eeaab7ea45c3f3ff22
e69e4141ad09e3e1a108c0719c131468a36c785d2a9d0930a3631e28a72ef782
5b864f12ca96654596244a7233fda37fdbd0776687fc24b54a7a351d6b0b4d3c
bdd67a2d07debbf8140da392ef933eb53172beae105a4981e7bf8938f393e667
baf8248b9b2c0a0a97ccbca60cc194a0dd15e48a17768afaf043799404db176d
e7006b8d71261b865d8601aa6e3b62f6b619f9d93ce857b288f9555cb17d5153
4b3aacacceebfe9cc6607c1b55eb9f1f3dd205a96b9bbfd0b38d433397d3c9a5
00248ecc4cde5256ee679fc0cecad0dea666940d064000d631882fadb4fea195
2eaebd7330e5901c36a1b1ad738cf6c76346c8525d89f16bacf4c1a9822fd993
549049c206798ac82da3d7bf88fec6d324737390070547998c0828b916905d9c
67de75fa63b6f101a2da5e047edd26ee239cc1767d716c2690d55bfb3e49882d
35214fb8ab4acfce9a6e0caae407e3b4d4aa374bf96c5596c49e342305d193de
ef8f11e6329370a13d6a82056ca5dadfa4a611ffdb719bd523a9c25b8ad07297
5811521cf05b04befec57554827f8426ea8743bcca3c7838872d1f58e4149cbb
fec91dbceed820feb3d8a348370841492348c5b370811eaab263013fd09ad218
SH256 hash:
3bf78bec9c2e2c0d7acd0b0b79d7441f1a7c4cb0d982ed7e299c9b9a27bbb78a
MD5 hash:
14b060c9c230c1272d8cd31f6e82cb8b
SHA1 hash:
4445697bb79b2d9e8caf7cdf41ab76b4f4b2dacc
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fee6e402-1f01-449e-b176-e236e1915669/
Parent samples :
933376e38f0ef413916ab8cd713b9b44b57f152c7d2e9ecb4af5b514012925c3
8044914fef05ba9c7505662b3bc53edfb8a376cd0383d5f81d35a3797a9339da
61b5dc04ec8d88a18260a3dfe42344ec5630c6af7204246429ccf48b0dedaf5c
249ff8adcaf0914424769055cc293a3114a071fd260073de2455d6f501971aa2
6b78dfce3fe9f54b8af722e912304dc97b681ff6d9ff3d77e3007b446443ba26
12ec771c6e24cc918e07de4b2a7b8be06b74bf1bfb2a0dbe0efac09e24bb9403
d668ad781ee9b81de4e5da26889308f4f7c496f68cf9001862b7a9d1b5e16cf3
8e98ea41349271538cbad8c702e9db0aa752b6d9f63ab41cd15520a955db42fd
572e60bad91adcc0711b6c93408bc73812d05a7485b0f2a5125f4e3af19dcba0
152a044d6ead756bf25102941ae5347d21c1eee29811dff7ac86c216d430745b
8359a347a41ef75b7a1591d2bd81372d24e25aab079e08ab7185bdbb0948955c
6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9
ec0d3113557b7cc0d2d5123ac45922d40e34209fce8cfc2b665cf18cb34b691c
dc952defb4644f600950afcadd4e252a529ad737788a13f4a653fa2ed65e4f5c
d6cbeb563b46bd0ec0c779dd9f986ac65c6e8ee2ac28e7157af2db2533974da6
94e23d967addf03cbf052e8d346f875fb8320b0a5ebec4a3dd3e83f4b7616caa
74edab3b0ba41b9d02d35d1b4b5a5791990711920ad81a3b7bcaabfcc45c4c5a
83172a05a1bf277edad661d291cf26ed197ff9917a878e00d980e6748e3541a7
0bde9e8c209c4a3a4f09e02d127dadddb1c9a73b35166bf3c0812e69e6b1f068
e77ae5cb696891c9c81ec6c871261968ae12c334cd1d145c7f5f9e0115181dd5
239a4626ed96608fc7d5c5a84bd05cb547b222b103ca17eeaab7ea45c3f3ff22
e69e4141ad09e3e1a108c0719c131468a36c785d2a9d0930a3631e28a72ef782
5b864f12ca96654596244a7233fda37fdbd0776687fc24b54a7a351d6b0b4d3c
bdd67a2d07debbf8140da392ef933eb53172beae105a4981e7bf8938f393e667
baf8248b9b2c0a0a97ccbca60cc194a0dd15e48a17768afaf043799404db176d
e7006b8d71261b865d8601aa6e3b62f6b619f9d93ce857b288f9555cb17d5153
4b3aacacceebfe9cc6607c1b55eb9f1f3dd205a96b9bbfd0b38d433397d3c9a5
00248ecc4cde5256ee679fc0cecad0dea666940d064000d631882fadb4fea195
2eaebd7330e5901c36a1b1ad738cf6c76346c8525d89f16bacf4c1a9822fd993
549049c206798ac82da3d7bf88fec6d324737390070547998c0828b916905d9c
67de75fa63b6f101a2da5e047edd26ee239cc1767d716c2690d55bfb3e49882d
35214fb8ab4acfce9a6e0caae407e3b4d4aa374bf96c5596c49e342305d193de
ef8f11e6329370a13d6a82056ca5dadfa4a611ffdb719bd523a9c25b8ad07297
5811521cf05b04befec57554827f8426ea8743bcca3c7838872d1f58e4149cbb
fec91dbceed820feb3d8a348370841492348c5b370811eaab263013fd09ad218
SH256 hash:
6158db38e1e3e80e0df2aa2a2b5d0a58d4064e669ac879446ba11443a8b881a9
MD5 hash:
15cbc959a158f60642dfcb392ca96c72
SHA1 hash:
79e8cd7fade23df54d1ed58b054b26ff55458325
Link:
https://www.unpac.me/results/fee6e402-1f01-449e-b176-e236e1915669/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6158db38e1e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2680005/
Cape
Cape
https://www.capesandbox.com/analysis/416609/
  
URLhaus
https://urlhaus.abuse.ch/url/2673974/

Comments