MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 663d6c13085975c11d0014705d9233430ab84ff53d0dd1a74b8e387c1e6f9dad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments 1

SHA256 hash:	663d6c13085975c11d0014705d9233430ab84ff53d0dd1a74b8e387c1e6f9dad
SHA3-384 hash:	f982a1d5c2689c5450781c9b38f17d6be2cad4c21e74346f53e6236f731efb0c9ad214006543c898ef23cf69eb625d12
SHA1 hash:	bc3a01b32168c3c3c75964e006e9cf7a32ae7930
MD5 hash:	2697e13f1fd016ce1e7538cc6a2003bc
humanhash:	september-single-foxtrot-saturn
File name:	2697e13f1fd016ce1e7538cc6a2003bc
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	422'400 bytes
First seen:	2022-05-28 00:23:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5df5f515f76bb815fad87fade1c304d (7 x RedLineStealer, 3 x Smoke Loader, 1 x DiskWriter)
ssdeep	12288:3caPSAiFwtUF7h0Ww6QXIxYh+cdq025U8vG6IR:7PSblVhT8+c+O8s
TLSH	T1C294BF10BBA0C434F1B702F4897A8668B93EBEF16B2451CB63D466ED9A356D1EC31707
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4d2b9e9f092d864 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

700

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

2697e13f1fd016ce1e7538cc6a2003bc

Verdict:

Malicious activity

Analysis date:

2022-05-28 00:25:02 UTC

Tags:

redline

Link:

https://app.any.run/tasks/661c9983-01a8-4da1-b495-84a76f4aa29c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275115/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.9967.20672.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62916ba8370bb1455ccb374c/reports/2975ff90-319e-43e5-81d3-8a252b9437ae/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003242

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.RelineStealer

Status:

Malicious

First seen:

2022-05-27 23:35:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=my6wyeyilf24chiacryf3ertimflqt7vhug5dj2lry4hyhtptwwq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mt infostealer

Link:

https://tria.ge/reports/220528-ap2cbaabh9/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

Malware Config

C2 Extraction:

193.106.191.222:23196

Unpacked files

SH256 hash:

30827a2c20883b66ef0ce8338e1b0ea009e614dbf180925f07f821044516e5ae

MD5 hash:

00f17cf5db2239f0b277ee8563bab7b8

SHA1 hash:

b3d288d15fae48ac304174f71ac606e0cafe266d

Link:

https://www.unpac.me/results/7904b92f-bd7f-4c05-bb5d-952fec12d213/

SH256 hash:

83fba7584d02dff451eb09cff29287592985d0162c2808d77666520ce759e616

MD5 hash:

7ac73c6b142e2667f6a581d1280171ee

SHA1 hash:

9bdde02b2f26807d39fc51ec867afb757b108870

Link:

https://www.unpac.me/results/7904b92f-bd7f-4c05-bb5d-952fec12d213/

SH256 hash:

3ae3b67b2cc72a5679474048f159062b579a02c3afce1325976ef8732a99785a

MD5 hash:

71e04e47ee5c6a4e6f1ff17d0659b073

SHA1 hash:

0399b514c3d25220b3aa481c3bb6b17b84d59a17

Link:

https://www.unpac.me/results/7904b92f-bd7f-4c05-bb5d-952fec12d213/

SH256 hash:

663d6c13085975c11d0014705d9233430ab84ff53d0dd1a74b8e387c1e6f9dad

MD5 hash:

2697e13f1fd016ce1e7538cc6a2003bc

SHA1 hash:

bc3a01b32168c3c3c75964e006e9cf7a32ae7930

Link:

https://www.unpac.me/results/7904b92f-bd7f-4c05-bb5d-952fec12d213/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/663d6c130859/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/663d6c13085975c11d0014705d9233430ab84ff53d0dd1a74b8e387c1e6f9dad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.