MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d
SHA3-384 hash: 88ba5a59a944758889893711bbdec7a7cc0b286164e202a2abb4d33a9cc9c8025f3b0b51605fb39b9ab9e9f52fa8a709
SHA1 hash: 17d07a03d8a46753b43cfb559348980e177c6966
MD5 hash: bb48c3e8cf43b9b8486af3d1df672aee
humanhash: autumn-fix-ink-lake
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:279'552 bytes
First seen:2023-06-20 03:52:30 UTC
Last seen:2023-06-20 11:51:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d91fa928c738702455bfa66ac3685503 (23 x RedLineStealer, 7 x Amadey, 1 x Healer)
ssdeep 6144:XrDNeX24wdAd6HT9eMTO3yLxrITvD+OxxWzCMu:fNeCRTzTtLxUTBxxWz
Threatray 1'937 similar samples on MalwareBazaar
TLSH T1D7544B0FB5C50336E471103D2BB02956ECEDAC910D34EDBB7A6CC329156BBE269690DE
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc808950829_663071592?hash=qz8Ck143JrW4Fi1WDdC97jJrmHloy8x9hmvZXd97E9s&dl=qfHkcNpgQQZ4UOrGBdZhBzTkBci2rCyiQzknyB6elo8&api=1&no_preview=1#file

Intelligence

File Origin
# of uploads :
9
# of downloads :
285
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-20 03:53:21 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/c7048031-e88b-4d2d-b39d-26715425a64f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400711/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.14088.23440.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6491229d64de9606a577566c/reports/361b0dbc-b250-41dc-b39b-8a1ede621f6b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d96cc51-f2a5-4388-b1b2-3ead1fdf1ba0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257868
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 03:53:05 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2azk2ul4rsrzefocx32542drk6sfejkn5dt4v3irw72tvovdooq._file
Verdict:
malicious
Similar samples:
13bd233a9efff1d755172c4548e3d1b78a881f0c911ab25129c38d8c47034a40
RedLineStealer
146ba9f41fa5df4ea395897c82cdf473edb747fa681c10d856265eaa013a3fb1
RedLineStealer
1864b758286146998d8cee8145f71eb2206839bb5bce240cf84fad01eaf9bff4
RedLineStealer
19e8083ff0290480e03d8907de6652320ec08f22ab1439ba65bebcca2c3daa19
RedLineStealer
20720467748d05be1ab69c778a39903853055c152611ad382598289fbb477c14
RedLineStealer
28b54683c8db0b3edeb068646b0aa206b84363c38d62597597bd9a8e5dac9dc7
RedLineStealer
3023836b37a47b6599e276d2d7553299e07a1c372c40d47659d6c041595b1aa6
RedLineStealer
3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
RedLineStealer
94ebb573c419aa5212d6bb085568c0c0f63dfb98fc01b9296ef233d2d3e8ed09
RedLineStealer
e6e9b2996939b2b53882d860a20106ac2e0f8098cdb8409974721fe59cf5cef1
RedLineStealer
+ 1'927 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:prolivka2 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230620-efl89ahg38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
79.137.204.46:48843
Unpacked files
SH256 hash:
7696973409f5b9d8130231a4de388db0ce7cd9e5dff15f1b79d43e00eaca84f0
MD5 hash:
c3c19b06b01a6750c7a0f283e93a8e30
SHA1 hash:
e8f13479848339ee4349847f56503d0079785e7e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e18c6acb-4f07-4483-97b1-98671ba57876/
SH256 hash:
370232a999f8852d75fb2c2cc135280ef557051a8266a9e5036bf625f25505a7
MD5 hash:
4fbdc1958bba85f5cc4060efa1eb4839
SHA1 hash:
37f099bcc87fc2c75be604d3a40f6d244ca54675
Link:
https://www.unpac.me/results/e18c6acb-4f07-4483-97b1-98671ba57876/
SH256 hash:
6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d
MD5 hash:
bb48c3e8cf43b9b8486af3d1df672aee
SHA1 hash:
17d07a03d8a46753b43cfb559348980e177c6966
Link:
https://www.unpac.me/results/e18c6acb-4f07-4483-97b1-98671ba57876/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6681956a8be4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6681956a8be4651c90ae15f7aef3438abd22912a6f473e57688dbfa9d5d51b9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/400711/

Comments