MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 622cbf271ab0df0b2a00464df31d87a24cf87890879161f8c0de79fc7befa117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	622cbf271ab0df0b2a00464df31d87a24cf87890879161f8c0de79fc7befa117
SHA3-384 hash:	255042d80a8d1d2c20e343d308f89ab92ba3c0e0d410b66ebca548ffde40a9bc13aa5ecf29136de888abff9d884c690c
SHA1 hash:	943c6ef8f3c1763528b0af6f739700a791bfddba
MD5 hash:	15154034baf32dd1875e9c0a0f2f1041
humanhash:	oscar-vegan-stairway-river
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'102'336 bytes
First seen:	2022-11-11 20:31:11 UTC
Last seen:	2022-11-12 10:04:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4718c85fe28e792412bf1679bc40c971 (49 x RedLineStealer, 1 x ArkeiStealer, 1 x TitanStealer)
ssdeep	24576:Zv4f8YEYi75Sej1MNTTQuQPhweuSQ1R/I7b+n:Zv4mtcR3tn
Threatray	3'101 similar samples on MalwareBazaar
TLSH	T18C355D2AEB4625F4EA275771855FEB779B18BA148032EE3FFF4FDA08A0330163846551
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc760750097_655884012?hash=hWBHgmlA8iB9gipgMmKEvQZqbc6UGKhI3tPMYEZZQz4&dl=G43DANZVGAYDSNY:1668198378:AUUnhXkyyCc9FzEkx1WOx0AqIzZ1qosXnkdUTJGxZID&api=1&no_preview=1#new10

Intelligence

File Origin

# of uploads :

294

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/332613/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.4043.23032.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for the window

Sending a custom TCP request

DNS request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/51436/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/636eb14220a0b4943a8ef72d/reports/4c666b91-85d2-46ff-8c38-c8fcd4b58c4a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29b20e06-1295-4637-948c-1a215cd54e07

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1111532

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/622cbf271ab0df0b2a00464df31d87a24cf87890879161f8c0de79fc7befa117/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-11 20:32:07 UTC

File Type:

PE (Exe)

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=miwl6jy2wdpqwkqaizg7ghmhujgpq6eqq6iwd6ga3z47y67puelq._file

Verdict:

malicious

RedLineStealer

2e4e268f4c49ab98cd0c5679e264f6a47458a389c0f0cc97f2a04371afbd3fb2

RedLineStealer

46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6

RedLineStealer

76b2a3865b39346b400bec0b19468abf38bcd337b100425bd2a1640d999e5d5a

RedLineStealer

81173b89b99d19283f9ebe3ee7e2aa13070618cbb1d9d7c96a2bbf8be985dc7a

RedLineStealer

816636033881f5932f282b68e3fda7515b85b53d3507fa4c9a2c10323a2b3130

RedLineStealer

+ 3'091 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:new11112 infostealer spyware

Link:

https://tria.ge/reports/221111-za9skseb8v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

jalocliche.xyz:81
chardhesha.xyz:81

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4f6dd91c-e8f4-49d4-a534-2a2cde455a1b

Unpacked files

SH256 hash:

90898f805900f3d11de38b0be3ccdf83aeb47ece1df2995a967fd7327e9ee74d

MD5 hash:

4232138db4a40d4399b1265cebee2992

SHA1 hash:

cbb9919044d46ddf5810a7e556358e9ea7b39804

Detections:

redline

Link:

https://www.unpac.me/results/b242d1eb-35cd-4f95-bfe7-25fa0bd25603/

SH256 hash:

622cbf271ab0df0b2a00464df31d87a24cf87890879161f8c0de79fc7befa117

MD5 hash:

15154034baf32dd1875e9c0a0f2f1041

SHA1 hash:

943c6ef8f3c1763528b0af6f739700a791bfddba

Link:

https://www.unpac.me/results/b242d1eb-35cd-4f95-bfe7-25fa0bd25603/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/622cbf271ab0df0b2a00464df31d87a24cf87890879161f8c0de79fc7befa117

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/332613/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample