MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
SHA3-384 hash: e5ee7e6248bf17a0f1cda1b0245fac73710d2e53ae4568e58bce40e1e881200657e0728d118b1b95c0e1020cd9c1f964
SHA1 hash: 4de9d36037feb708c3229dbeb2f202398fb4f221
MD5 hash: 05f2dd3d2dacc8633d402e404d918e79
humanhash: emma-ink-hot-uncle
File name:05f2dd3d2dacc8633d402e404d918e79.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:435'200 bytes
First seen:2023-02-06 13:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f28ad02a4adb6c9c9717704f5e5b34ac (8 x RedLineStealer, 6 x Smoke Loader, 3 x CoinMiner)
ssdeep 6144:0ELvIq0ciBGJzBIlK8oB8KmIkNqX4FMT3quk6or6:0ErIq8kJzklqEMT3qrD6
Threatray 14'445 similar samples on MalwareBazaar
TLSH T13D94AF03E6F17C53F91296729E1EEBE47A9DF5608E0BE76912189D2F14711B1C2B3328
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 4420848490848444 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.7:4138

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
05f2dd3d2dacc8633d402e404d918e79.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 13:18:51 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c9cea327-197d-4cdd-8ce2-901f8a4d9c35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360863/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63e0fd951c9cbf7d62562126/reports/8e776b16-7282-44d8-873d-38844c0f03cb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae252b78-6bfc-4ffb-98e3-108c2553aae5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1166983
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 13:16:09 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3ut4yssvsoi6kqcyeq2xrvuosogpmjrxigsdm467el6nfnmqtha._file
Verdict:
malicious
Similar samples:
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
RedLineStealer
49ac8bc914ad125e4a8e8699b2aa2500c143ffd25b5daa0752f6857eec143842
RedLineStealer
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
RedLineStealer
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
RedLineStealer
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
RedLineStealer
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
RedLineStealer
cbbe39944f1a5af5719f583c375de30cd19a553a0bd70e5246a8f7ee61523717
RedLineStealer
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
RedLineStealer
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
RedLineStealer
ead282a624633ea76a708ff1ab34593c3095876fa6754078927393f9300b30f8
RedLineStealer
+ 14'435 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:bilod discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230206-qhs1csea39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.7:4138
Unpacked files
SH256 hash:
f1e65d2fb477a2eacb1dedfe236100e4b1630b5e5450463d89cf9e66b1af6760
MD5 hash:
ef45323b1905067239609c4d153255a3
SHA1 hash:
d652ca53fc109b61769b2eba0577bc51089f265e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/02d800ef-f2cc-4370-9d09-9a5535fc01b5/
Parent samples :
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
SH256 hash:
56d331d10b814d3bf111a7be43ded93212f1a6538b7f1ed27b36ef01552c6ed4
MD5 hash:
ed50aef1e5392cc41f2f7ad564197b86
SHA1 hash:
79abf2fb46e76cd7ee994cf40120483a6181548c
Link:
https://www.unpac.me/results/02d800ef-f2cc-4370-9d09-9a5535fc01b5/
SH256 hash:
736c3be20841c64e8c3494022027e9cb478a3c34338fa576c02372bb1c1c6470
MD5 hash:
a21d55f20608a424700512cbe24c33f4
SHA1 hash:
5d7279d9107ed162f466a284a966df2195e3b511
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/02d800ef-f2cc-4370-9d09-9a5535fc01b5/
Parent samples :
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
a373356377baa29111c9c78123b35689f35dd91d6b440262646078d6571cecf1
SH256 hash:
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
MD5 hash:
05f2dd3d2dacc8633d402e404d918e79
SHA1 hash:
4de9d36037feb708c3229dbeb2f202398fb4f221
Link:
https://www.unpac.me/results/02d800ef-f2cc-4370-9d09-9a5535fc01b5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66e93e6252ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2528642/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2529227/
Cape
Cape
https://www.capesandbox.com/analysis/360863/

Comments