MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f
SHA3-384 hash:	fa371ca0b29a7ac21e1b969d19a908e4f4d5b104273a4337bbf9dda0b029930c81e07513b590bc8aa8efa4b6989e79da
SHA1 hash:	5113526e49437835e630f673b9b31183b1de96a1
MD5 hash:	8f8596d7d10f03526584b5513e737e3c
humanhash:	cup-maine-twelve-music
File name:	66386e6f1072b7a44ee498e43663acae727008be8f459.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	413'184 bytes
First seen:	2022-01-24 21:35:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	13fe0c80afc1585ba6b2557231264a3e (6 x RedLineStealer, 1 x TeamBot)
ssdeep	6144:SDcqwscksF5trMl6K71OwhW7ZwQxuB6g1b2JNaYqIsL1KSJl/IN:SDclDtrsxhOw1QscPLaqsL1B2N
Threatray	4'542 similar samples on MalwareBazaar
TLSH	T1C89401B131B1D431C5922630992ACFE16EFDFC351A69469737A4336EAE323E0991631F
File icon (PE):
dhash icon	fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.112:57175

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.112:57175	https://threatfox.abuse.ch/ioc/315764/

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/222076/

Detection(s):

Win.Malware.Mikey-9917879-0

Win.Packed.Lockbit-9919158-0

Win.Malware.Generic-9937404-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey

Link:

https://www.filescan.io/uploads/61ef1bc6f81da814afa12655/reports/1d19575f-bb15-4138-aeb9-1e3b3d6fed0f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2536b82-f807-45e1-bf10-0ce2194f5c01

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/926662

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-01-24 21:36:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=my4g43yqok32itxetdsdmy5mvzzhacf6r5czyagbvyjqiql5rvpq._file

Verdict:

malicious

RedLineStealer

33ef6ee60dce9623f647dd252407a741dd32bea9e6c8738dbe3ff57e26ff7fe8

RedLineStealer

43633799f236be62fcc06fb032bf852afb06998b342bb0ec1872fd895a1fcbd4

RedLineStealer

8cccef783901ac8c2a5537b06c6a60e58f973da17ad17e567e99ae39f6a19e82

RedLineStealer

a512b25da7a4d9e007b1b6a5dc1600f450f2d25bbe8bd0f4843317f144d2be9b

RedLineStealer

c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5

RedLineStealer

+ 4'532 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220124-1fwnksafa7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.112:57175

Unpacked files

SH256 hash:

57b4f49c1b61d9df6561d5661324a8c2d7dbdf2b2a6517fd0335ab08bec51790

MD5 hash:

cc539fcdc7218ac7dbc8c02206745419

SHA1 hash:

aeab6a0efbd3d2599b1a570fb1cb6881cde13a8a

Link:

https://www.unpac.me/results/22682098-f3a3-4ced-a1d5-bcfdef825c31/

SH256 hash:

8998b0796280660fd860b3ca33bc1a40d6d2e493414e5266829e22e187476b27

MD5 hash:

c82e18659b58192bc0f241e2fc0debd1

SHA1 hash:

a629f769770c335b8e55d5b75dd57ed9424546bb

Link:

https://www.unpac.me/results/22682098-f3a3-4ced-a1d5-bcfdef825c31/

SH256 hash:

8dd48132c5150f36debafe482e6c7d044011803fdf83b35af6eb48618c83aae8

MD5 hash:

fc2b8d532a014bd5c3054424a320bd6d

SHA1 hash:

31aad272ff66eeb39fc910ae5b4b0be1a8d681c4

Link:

https://www.unpac.me/results/22682098-f3a3-4ced-a1d5-bcfdef825c31/

SH256 hash:

66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f

MD5 hash:

8f8596d7d10f03526584b5513e737e3c

SHA1 hash:

5113526e49437835e630f673b9b31183b1de96a1

Link:

https://www.unpac.me/results/22682098-f3a3-4ced-a1d5-bcfdef825c31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/222076/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample