MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1
SHA3-384 hash: 853b7d1a05ef520faa19cec8abf2d49af8a6648a93ec464c8a1f447846f88236d019e7e2cf096b946281abe7b97ca019
SHA1 hash: eabf426b122730fda8011fc84070fcc67c549868
MD5 hash: 4cadcae373b8049b2ba3f072caa0ecdc
humanhash: beryllium-lion-fourteen-quiet
File name:4cadcae373b8049b2ba3f072caa0ecdc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:386'560 bytes
First seen:2021-10-08 04:51:55 UTC
Last seen:2021-10-08 06:10:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54bf62ec6910c4bfd61455c421ef149b (4 x RedLineStealer, 3 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 6144:JEcB02fHjd7a/2PewXcGWSBKVSKH+UibQnxWc:q52fHB2SewMGWS0YKHSbQn
Threatray 785 similar samples on MalwareBazaar
TLSH T1E984BE10A7A0C035F1B312F4497A93A8B93F7EA17B2894CF62D526EA57746E1EC30717
File icon (PE):PE icon
dhash icon b3e9eccae4318f8c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4cadcae373b8049b2ba3f072caa0ecdc.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 04:56:38 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2976afbb-d2eb-4896-bb19-9cd3f2748782

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196032/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.32566.28492.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615fce78b95458900cdee1c8/reports/dbc97ac6-8993-42d7-b096-25abc584f5fa/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d5ba2da-bdb5-4bbb-8892-bceaf51ca4bb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/866850
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 02:37:00 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwgyfd2w7t5kbgcok3fdunikgucju5rmivggr2djxmkqosgcjsyq._file
Verdict:
malicious
Similar samples:
0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4
RedLineStealer
147a81a818e41f31acd78476ad65f7e59ff3c3bbd85626d91456838c8acacd11
RedLineStealer
18a991ca66e5a2f3ba4b92dd18171eaa5f7306b8cd7d9aa461e4aaef158e7b5c
RedLineStealer
319d10acfc388b91ab59503ab0d16ca888abaf05fa8e6ba4b1f7a34a61228b5f
RedLineStealer
3c5072f106c32fcabec7964aeefb5133a89e4d973efcc67d88603e53a6dfad48
RedLineStealer
4aa2cde2e72d591091967790e676beca8c91d01be47dec4bacca7c38bfbc91c2
RedLineStealer
5cdca6838044c712d83b192f693ae6da288d6cd065f431014f5569cbbe20b589
RedLineStealer
62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da
RedLineStealer
700b27a73d8cb49d65daee39cb2a932d688782a20cdd2ee03c9e279e0bf63169
RedLineStealer
d8422e68f6bc3b3564efac25e147168494be5cacfb3d1695945f9935fb1045a4
RedLineStealer
+ 775 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211008-fhegvsdcd3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.244.182.136:51832
Unpacked files
SH256 hash:
d69488503bf512756faa49354372bb35aed5ba2a9dc3bd181554d3c273d65995
MD5 hash:
6ad3c76df4cba6c036ca74ed464f581e
SHA1 hash:
4472891e860d86c81d3759682e16caaa638df034
Link:
https://www.unpac.me/results/1f2a8d27-b794-4e78-8ebc-05a94e330083/
SH256 hash:
15d14a003f8b6be1ee658007edc8e38e69656893ed9daf7c0b4949873d7bb460
MD5 hash:
2aff3249b907d9fef2d9c3be2a7a3d5c
SHA1 hash:
381dc99ef44d498d3116922ae6171d31df38725b
Link:
https://www.unpac.me/results/1f2a8d27-b794-4e78-8ebc-05a94e330083/
SH256 hash:
063d9ee6c86d83556a6aed308514fb317d9459be3b02ff854d4b45000c17e417
MD5 hash:
44157ec3ff1419c651ef4aaaf7c9cff3
SHA1 hash:
207f0b23450643d12ae5f66239e54b6bb9a2448a
Link:
https://www.unpac.me/results/1f2a8d27-b794-4e78-8ebc-05a94e330083/
SH256 hash:
658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1
MD5 hash:
4cadcae373b8049b2ba3f072caa0ecdc
SHA1 hash:
eabf426b122730fda8011fc84070fcc67c549868
Link:
https://www.unpac.me/results/1f2a8d27-b794-4e78-8ebc-05a94e330083/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/658d828f56fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 658d828f56fcfaa0984e56ca3a350a35049a762c454c68e869bb150748c24cb1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1652118/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196032/

Comments