MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148
SHA3-384 hash: d38996cb2586718fcefb417a985725f827f4b478e5594f7f885c89a1316ebd3b481ac3e6a7f1ea2df3939bec99399cac
SHA1 hash: 7a7815da2c9effa610928fe501f8ae72c665007d
MD5 hash: e483f3c568e2f08370eaf00f81b79d21
humanhash: quiet-victor-apart-solar
File name:e483f3c568e2f08370eaf00f81b79d21.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'649'920 bytes
First seen:2022-07-25 17:02:06 UTC
Last seen:2022-07-25 17:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 197cb25ab9b318eaf685cca417ffb696 (2 x RedLineStealer)
ssdeep 12288:SO81UrOxSAK2bnA7hbeZhDoD+RkwVSMaA8gntEF9VPXcLlLWkhPEb0WI+Wu+jyCY:v+I1SI4iCQDN5buH+fR5+vtm9A4v+Q
TLSH T141461F41BD3C1534E0D7553F84BBB207E358EABB6BA0E902AD2D8961672719C1C738BD
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
7.1% (.EXE) Clipper DOS Executable (2018/12)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.150.103.38:18410

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.150.103.38:18410 https://threatfox.abuse.ch/ioc/839474/

Intelligence

File Origin
# of uploads :
2
# of downloads :
530
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294083/
Detection(s):
SecuriteInfo.com.Variant.Lazy.224813.24432.24776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/62deccd17dd0cb902ffcafa0/reports/2f7c46b2-7982-4992-beb1-886ce09ea76e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68d0a87e-d00d-4d11-b2fc-da01a49d0516
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1040587
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 17:03:09 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2u3wwwkc25p6j73basghbefp5q3nzsj6wug4tp6hzl45oreifea._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:palladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220725-vknwmsbefn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.150.103.38:18410
Unpacked files
SH256 hash:
c5ea930a42a6bdc8892a01744dde0a451504b326629b837f1e21c42f968537e3
MD5 hash:
9aac5d46c94e4058b52784bf6c1f6262
SHA1 hash:
0059e46c10a47bcc758a54431796dfba31e6471e
Link:
https://www.unpac.me/results/19a4fe9f-81ec-4491-a961-9ccc37870c5d/
SH256 hash:
66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148
MD5 hash:
e483f3c568e2f08370eaf00f81b79d21
SHA1 hash:
7a7815da2c9effa610928fe501f8ae72c665007d
Link:
https://www.unpac.me/results/19a4fe9f-81ec-4491-a961-9ccc37870c5d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66a9bb5aca16/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 66a9bb5aca16baff27fb08246384857f61b6e649f5a86e4dfe3e57ceba244148

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2258536/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2258658/
Cape
Cape
https://www.capesandbox.com/analysis/294083/
  
URLhaus
https://urlhaus.abuse.ch/url/2258535/

Comments