MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80
SHA3-384 hash:	5d8a55b03d14d2ca8d8ed58add6e8685b65360c5e63df21dccf5251c9af84930934324afe9133132b0d5d19e16af6f93
SHA1 hash:	ca02bdce48ac20f7b40ab720079009894f369990
MD5 hash:	810da00c69d55e89dca3bfe9a6f6a420
humanhash:	mexico-east-friend-maine
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	482'816 bytes
First seen:	2024-01-26 22:35:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:Lh1Fk70Tnvjc52gSbBJKrk+bLcIW1SIoQT79Y4AyGItHYO2E89:Rk70Trcu2oqLISIoQT7C8pHFRQ
TLSH	T173A4021175C1C1B2C0BB113184D6CFB99E7970710B69C6D7BBDC2BBA6E212E1A7362C9
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Bitsight
Tags:	exe RedLineStealer

Bitsight

url: http://109.107.182.3/lego/rdxx1.exe

Intelligence

File Origin

# of uploads :

# of downloads :

562

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/473123/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Forced shutdown of a system process

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint packed

Link:

https://www.filescan.io/uploads/65b433d20eab2d160543b53b/reports/67d92ca8-c3eb-45c9-8fc9-b5dd3929c368/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e827dbe-5d70-4bd6-b2d3-515a0de0a82c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1381970

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-01-26 22:36:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=msrb2b2ikcsorxjivbdor6pf24wvkso4ndm55uxjx74z64ypjwaa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@rlreborn cloud (tg: @fatherofcarders) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/240126-2h8atsfgd2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

.NET Reactor proctector

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

141.95.211.148:46011

Unpacked files

SH256 hash:

c27455050c9d8284058a535a0e8f6eaaa42cdc2bb1aa4ad69b1a958dfdf65d83

MD5 hash:

0dcee6393ad2610fc36ebfdde2ef781d

SHA1 hash:

cf8f23b79c43ca0e081fb4dd40f6526bf428fa1a

Link:

https://www.unpac.me/results/5fbfc784-cdd4-45fb-9b5d-bb336176473b/

SH256 hash:

89b3f8fcff4e560a83cf1b7d828b851329454d966f9261b6ed01226a2cffba23

MD5 hash:

c21d2c381b29f04b95f5e75cc80fa231

SHA1 hash:

4a426e7228947bfe664c5344b985008dad176bbf

Link:

https://www.unpac.me/results/5fbfc784-cdd4-45fb-9b5d-bb336176473b/

SH256 hash:

d796ffc19f9268d4b060464f55a284f8c53781a1bea8e067f3814f09731b6a41

MD5 hash:

93fbecdc07883afe612fb3e63e3d0a78

SHA1 hash:

47211fbb7feb2bcf90b39146cf4997455832dc5d

Detections:

redline

Link:

https://www.unpac.me/results/5fbfc784-cdd4-45fb-9b5d-bb336176473b/

SH256 hash:

64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

MD5 hash:

810da00c69d55e89dca3bfe9a6f6a420

SHA1 hash:

ca02bdce48ac20f7b40ab720079009894f369990

Detections:

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/5fbfc784-cdd4-45fb-9b5d-bb336176473b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/64a21d074850/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/