MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
SHA3-384 hash: dc196679f431622e612f1b8c07535f5e6a2e3bf71fd69b3004a7edd7045d51368d18e21ef61f53ecac0bd91aea8e4196
SHA1 hash: 616db88ceee46791f4a959bbcac6a154e0044776
MD5 hash: 0dde183351f48665734eaa76277e3058
humanhash: aspen-failed-bacon-alanine
File name:0dde183351f48665734eaa76277e3058.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:361'984 bytes
First seen:2023-07-25 16:25:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21f576cdd9781dd6a4a8eb3639210862 (3 x RedLineStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:R+GUgDMu4BnIXpL2sBs8QTDPZOPasqRYkdzWQb5:MG74uYnIZaEs86PZEUYkp
Threatray 203 similar samples on MalwareBazaar
TLSH T1BF74E02175A0D072D0A39A316870CA511F2ABCE3AF7582CB33983E7EAE716D05779717
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0ddd4d4d4d2dd (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
51.89.201.49:6932

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0dde183351f48665734eaa76277e3058.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 16:28:32 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/0eaa6f45-2bfe-41b6-90cb-33224f92b0e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432628/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.26072.30984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for synchronization primitives
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eec3cdb-f590-41a8-87e7-24b79b1f9e90
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279355
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933/
Threat name:
Win32.Ransomware.Djvu
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 16:26:05 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkk2taytrkypqub5h6azsljscqivokeyni7uf4knx5hsqceffezq._file
Verdict:
malicious
Similar samples:
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
RedLineStealer
21555a064acdc892c3982e3dcd7244f94737297b675284b0256c28c16011fdad
RedLineStealer
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
RedLineStealer
38e099ef86c063ecc48440de86109a58c8c748d68969f0fb2262e9b315c0d2f1
RedLineStealer
3939eda08906ccdabf2c128914c02a96ec8a0f7183f0e4becdae79b58662a95e
RedLineStealer
3e18f9b7e8cdd8a1f059a105846c613234cbfd791c0660872c226071417e7dd4
RedLineStealer
41eb10298ecda748977837bf1c15ff97cf47c0317b78257863e4983f66ebd011
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
9c33c0c4d40467e3738099d615717165646ad52d21c9680b11ae8488880e5a46
RedLineStealer
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
RedLineStealer
+ 193 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230725-txh1gsee9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
51.89.201.49:6932
Unpacked files
SH256 hash:
f5d6462a2d94739de88ed00f6235a8b6297ed69f276c1b1b5eac019ffd76832c
MD5 hash:
414f2bd73f5fa592f629ca2583986212
SHA1 hash:
bdd104e676335baa9ade66f3d0bc6c3c02ee7efd
Link:
https://www.unpac.me/results/80311bb3-398e-4e28-be14-0001a6df2295/
SH256 hash:
5d1835b7abe9635775381d92c69be21a845302b59627c983231637b0e03cf083
MD5 hash:
905f316e5faf8833fbfffb9624b33a7a
SHA1 hash:
5768ff57e4c51c2000018642142518ec91fdd976
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/80311bb3-398e-4e28-be14-0001a6df2295/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
8a9b739843085c75a03fdad6bf64ee1b62b119f0ad1f0ded8b5e881ea6a9e4b0
MD5 hash:
0f11f1777a3880c7f24b2071c79be591
SHA1 hash:
5711544dbf93cbccfee2c43ab1bf71f455122ecb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/80311bb3-398e-4e28-be14-0001a6df2295/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
f9dd467756989b972f91b74dd3d8a46177a487a466cd46ee295957b8f46160ab
MD5 hash:
da7faeda88e9104f5fde519966dab3d1
SHA1 hash:
46c0be2aef08a87e006807fddaed9da52e14ef7e
Link:
https://www.unpac.me/results/80311bb3-398e-4e28-be14-0001a6df2295/
SH256 hash:
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
MD5 hash:
0dde183351f48665734eaa76277e3058
SHA1 hash:
616db88ceee46791f4a959bbcac6a154e0044776
Link:
https://www.unpac.me/results/80311bb3-398e-4e28-be14-0001a6df2295/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6295a983138a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2688389/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2689675/
Cape
Cape
https://www.capesandbox.com/analysis/432628/

Comments