MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0
SHA3-384 hash: 3de91b3c6fc263f00822dd502f3be68847eb86381de0841c9de43c9816b4d06bc2c89950d751a21626cab9b38073b170
SHA1 hash: ec5e1f42bb61d1f9110d7f660981b02bd886b94c
MD5 hash: cb62b107b18fecdb595251801992d2df
humanhash: low-india-mobile-winner
File name:meta_build.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'852'544 bytes
First seen:2023-02-14 13:28:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 353dcc871fe8e730342da58283dc599a (1 x RedLineStealer)
ssdeep 196608:dMa7IvaNhS+LqdNtOhG4cn/FzZnNgsGI:dMkIvQhNqdNtOhG4AdZyHI
Threatray 23 similar samples on MalwareBazaar
TLSH T17E8622E4149212B4D0EF476060C6078DA9E07AD866FCAE2DBCE01C525F54EDF358ADEB
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter iamdeadlyz
Tags:201-184-48-82 exe RedLineStealer SpacePearl


Avatar
Iamdeadlyz
From spacepearl.io (fake P2E game - plagiarised contents from multiple sources - fake team)
De-pump of 5992a0c63d7128b587c3a8c7a06b70f4136bd6fceea7fc420a664b33c08ecb83
RedLineStealer C&C: 201.184.48.82:40239

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
meta_build.exe
Verdict:
No threats detected
Analysis date:
2023-02-14 13:44:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4b4914ce-f4de-4bea-85ef-86a4fe6cf13f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365693/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63eb8ca66ea97adc8fc1e293/reports/6755d7a1-bbf3-4f82-b9fa-882c65eea040/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/74666818-27a4-4ae5-bb6a-189045fad57d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1176967
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0/
Threat name:
Win64.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-02-14 13:29:43 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 26 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=midb6l7v65ohiubgb4lbycw7yutcfsfkbg5umhkzjmkrzyp3i6ya._file
Verdict:
malicious
Similar samples:
0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221
RedLineStealer
1ef0fe49cef266707c54468ea0113c06965f021ca19db32035d80007b6517c2b
RedLineStealer
22b8eea77c280d8bbfe86c7a3acac4e60f11bfeb5fa03cfef44678513af49600
RedLineStealer
5280df289219b64295e97b3b94e61b34e93a2fa9796067a447b7695499711e97
RedLineStealer
58591d220d48fbc565054766db000c1d14250a02c160bfe86370877441e5d2da
RedLineStealer
b461d9bfbeae78742a553e7256a7714c5b24f99f032e3f3779b31c3af2458807
RedLineStealer
b7e70119bad5c9fcd84035b4b9064911f45f0e95a2ec4a84b0ee10105d541055
RedLineStealer
c7d11c958c790562daf2522a05d7ba39e0c013e810f51ff2013af571d9394679
RedLineStealer
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RedLineStealer
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230214-qq82jsda5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0
MD5 hash:
cb62b107b18fecdb595251801992d2df
SHA1 hash:
ec5e1f42bb61d1f9110d7f660981b02bd886b94c
Link:
https://www.unpac.me/results/a32aa360-1695-4194-9979-5e2028b952a6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62061f2ff5f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

253e3a339c2aa3b7beae2b01862658882839e2d0a9bcd374cfa64c6222065e71

RedLineStealer

Executable exe 62061f2ff5f75c7450260f161c0adfc52622c8aa09bb461d594b151ce1fb47b0

(this sample)

  
Dropped by
SHA256 253e3a339c2aa3b7beae2b01862658882839e2d0a9bcd374cfa64c6222065e71
  
Dropped by
SHA256 4e2201550f99defa680ab58ced545a76b5b555f779f3478b13f556d35d5e186c
  
Dropped by
SHA256 5eab59869728c98ff7d30af4033958c5da68d2403dfdbbeecb0c2cc03f69712f
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2539530/
Cape
Cape
https://www.capesandbox.com/analysis/365693/
  
Dropped by
MD5 26cd0ff7a3b8e92ce4b1f755870649bd

Comments