MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49
SHA3-384 hash: e83a7d92ea01429f8eb34e03cedde64aead1f1d9d2da32b743fadfbd6b6a247e449a5b6b2fb7e057b9d60093e826716b
SHA1 hash: 44bb25021aa09dcac5f66a3a43ecc7c51d1ba2ad
MD5 hash: 5bcd390279d09ca80397ca7636a57b77
humanhash: lion-diet-cat-wisconsin
File name:5bcd390279d09ca80397ca7636a57b77.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:320'017 bytes
First seen:2021-12-15 06:02:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fdb1d18fcb1774aedc78ecdbb5413a24 (3 x RedLineStealer, 3 x Smoke Loader, 1 x CryptBot)
ssdeep 6144:80CzDWmD3XP+/rF/+4gQhynlpYwUsAXM+Ufia:4W0H2/9x1ynYwUsEo
Threatray 3'972 similar samples on MalwareBazaar
TLSH T18864F102B5E2D930C2A35E356831DAA01E3FF9325930459F67643B9E9FB26C14BB6712
File icon (PE):PE icon
dhash icon 3430f08ed4d0cccc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.157:46257

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.157:46257 https://threatfox.abuse.ch/ioc/275532/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5bcd390279d09ca80397ca7636a57b77.exe
Verdict:
Malicious activity
Analysis date:
2021-12-15 06:04:32 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7fa2e40b-0e71-46fd-a108-c83aec869f7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214183/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61b9851745ca64e57f10b901/reports/103f1c2c-0ae6-4e71-88ec-cb5a1fb2a4a8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5754011-7cf3-422b-8e9d-85b73f374844
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907610
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 06:03:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhzpyozfzij5f7nmnweogcludfxmmojpkr7vr3xnosjl4t2ud5eq._file
Verdict:
malicious
Similar samples:
0886b0f11c7bf224579cb12521e6f1f28c63400b6172244fbc7328ca33a518ed
RedLineStealer
0b383deecb2ee6fefeb0d66a188822e06610c50c6381a3cba7ba654fed525441
RedLineStealer
0d5081af8afd2b3202030d286bb7793b9b9e01f4f644b8451f5f00d78945a8e1
RedLineStealer
23c753efd5de99b77d63be1c3c983299ba081dae7ed334d6290ff65d3bfac2df
RedLineStealer
c7b4cb9d1d16968f06599fc577cd43f62a8c4b1154e377af951f48d81d8de244
RedLineStealer
cbf787fa6a28a09a471c205a8809946627a92e818a5cc9cb27e41a1f7dc6239e
RedLineStealer
e20da6340eef734cc4191d3871e2fbc93f289dc36a91b21206ef515848391eb9
RedLineStealer
ff4be4dcc9403ec71c200b7d1137e2d8d7118e775a164b7839ae07e2cb6bff25
RedLineStealer
+ 3'962 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:11 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211215-gr18naggg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.157:46257
Unpacked files
SH256 hash:
c497c46af21b01c853090baa354c0580528bf27c9799efbd71c5e3a1887c4947
MD5 hash:
731e2baa88d0bbe117d6404720997379
SHA1 hash:
f8e773ba0d75aee73d43c06a8189b97c39b0ff31
Link:
https://www.unpac.me/results/1f5bbf9c-f52f-4518-8e81-ddbfcad45e48/
SH256 hash:
9c2783269fc62894762aab5d394109c75acc33dea47f434e75027941b28b0fa6
MD5 hash:
3088a1ae867b8133e7229c8061e932c3
SHA1 hash:
96fa01d6bcbabcca6c1c48badd11a9e795a3806d
Link:
https://www.unpac.me/results/1f5bbf9c-f52f-4518-8e81-ddbfcad45e48/
SH256 hash:
f8b6841d3e5e6a749f3de9421efc5f3e0233b68f60b0f6123de15b0a4692de8b
MD5 hash:
fe2e4b7738e1533069e7e3c9802afd87
SHA1 hash:
2e91f3640888f2771d2c5a5cb8e90ce1407afdd3
Link:
https://www.unpac.me/results/1f5bbf9c-f52f-4518-8e81-ddbfcad45e48/
SH256 hash:
61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49
MD5 hash:
5bcd390279d09ca80397ca7636a57b77
SHA1 hash:
44bb25021aa09dcac5f66a3a43ecc7c51d1ba2ad
Link:
https://www.unpac.me/results/1f5bbf9c-f52f-4518-8e81-ddbfcad45e48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 61f2fc3b25ca13d2fdac6d88e30974196ec6392f547f58eeed7492be4f541f49

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1882932/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214183/

Comments