MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
SHA3-384 hash: 239c855e3fdfceb44dec0032e155d15632c3dc40b63bb5c2e88368523640f788918b7b9212c688b760330f5102e965de
SHA1 hash: 1587e66f9a4d83060ee597f983a7323a556bc1c0
MD5 hash: f96144b1d5b53d93caadddade38db5e9
humanhash: ten-hamper-snake-speaker
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'235'912 bytes
First seen:2022-11-19 17:48:15 UTC
Last seen:2022-11-19 19:34:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c87c269684dd62d98968492b86dd710d (3 x RedLineStealer, 1 x LgoogLoader)
ssdeep 24576:tpoG1/LlgEyH9QhH0slclslX6ptmEh4NqYJUo02O7RVUCshnSVjGMY0tZ8bMyqZs:tpocLlac0s5Ih4Ny/Ybb
Threatray 1'592 similar samples on MalwareBazaar
TLSH T12345D012FF5AC429E84F74F8E163AA98529DBC8F4035C2D3F660AE192DB92CF6547017
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0341d9596571633e (1 x RedLineStealer)
Reporter jstrosch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:material.io
Issuer:GTS CA 1D4
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-28T15:45:53Z
Valid to:2023-01-26T15:45:52Z
Serial number: d5585c9796d476330964d310dacbeb00
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 96cdf17c08729a87d209d912f31e44976db48f040dec65934491209fc419e27f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-11-19 17:51:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3c8c069-0eb8-4201-9981-f447db67e533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336175/
Detection(s):
SecuriteInfo.com.Variant.Jaik.104495.28782.5065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for the window
DNS request
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6379170f2609334c72c17ee7/reports/c5e0dd56-1777-4d92-a4f0-92fa1a240620/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bed4930-7c0e-49cb-86bb-1039f2c2eaaf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117286
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146/
Threat name:
Win32.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-19 00:40:44 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmay6obrcod2u72rd4eq7uku5jxmg6m4f5dwfciaqj4tsewgqfda._file
Verdict:
malicious
Similar samples:
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
RedLineStealer
3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
RedLineStealer
33e78622ef3ff9c1b4464a519a4b9d7e6e4eabb5d296942a554f554fc7f19346
RedLineStealer
60a1499fbadda5bb1da2ee13994de117ddbc02e669644cbe3585c84f35937a49
RedLineStealer
727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0
RedLineStealer
99574d9f64bd750fd89fedefe1dce8bbbd81eeaf740140f7887e92aaf5fea53b
RedLineStealer
9aecf1abe46d70a02d17800dbe3a8bda2f72f87456abb0dda69c7f7920cddb60
RedLineStealer
bf32d6402dff27525f6c67730b00a9f7e220ab4a258deee88fa9ada3f358a055
RedLineStealer
d4b8bb0d23cc76d722839af1760053357bc39708d9712af2a882019cbe696613
RedLineStealer
+ 1'582 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kript infostealer spyware
Link:
https://tria.ge/reports/221119-wd1sasgf8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
212.8.246.157:32348
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3df5fcf-91fa-49ca-8229-1543d96d2424
Unpacked files
SH256 hash:
daa7214e055bc2e16862edc84de7874cab95168b6e84ee8126739fe610bc787e
MD5 hash:
bbd43001f5842a1887e71db97bd5da1c
SHA1 hash:
c846b1630d8f72f1d764050b730296542d9050bc
Link:
https://www.unpac.me/results/07ddc752-37a9-45e0-b4a9-ea3687344333/
SH256 hash:
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
MD5 hash:
f96144b1d5b53d93caadddade38db5e9
SHA1 hash:
1587e66f9a4d83060ee597f983a7323a556bc1c0
Link:
https://www.unpac.me/results/07ddc752-37a9-45e0-b4a9-ea3687344333/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63018f383113/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336175/
  
URLhaus
https://urlhaus.abuse.ch/url/2427355/

Comments