MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6
SHA3-384 hash:	31805e8072a99eab5afb6d441777f647edb7b32f0194b8e9a540c81fc6140fd148736de7ade0818b941c2c78e945a11f
SHA1 hash:	38ef5325158e5e64e9772b5cf0c682a9a370aa6b
MD5 hash:	aef023fe3a4cdd390e4098d2d5923ffe
humanhash:	diet-pasta-comet-florida
File name:	aef023fe3a4cdd390e4098d2d5923ffe.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	400'896 bytes
First seen:	2023-07-03 06:18:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc362a37f67c5b096afb52d4b7ed28c1 (12 x RedLineStealer, 2 x TeamBot, 2 x Tofsee)
ssdeep	6144:SkSpLghKZe0fSbUO+YI7N5ENcTyX2VU5YpEI+AcX0SXj:0pLgh3wp7N5Emy6pEI+AcX0Aj
Threatray	7 similar samples on MalwareBazaar
TLSH	T16684D1137AA4FC73D52246338E39C6F46A2EB825FF24569B2318562F4DB13D1EAB1311
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0021310110020111 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.26.135.162:2920

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

258

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

aef023fe3a4cdd390e4098d2d5923ffe.exe

Verdict:

Malicious activity

Analysis date:

2023-07-03 06:20:24 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/7cc9722d-805a-40a9-87f6-dbfe53dc8ff4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/405694/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.20240.13243.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

FileScan.IO No Threat

Verdict:

No Threat

Threat level:

  2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64a2685b2299d2688264498a/reports/a9cb267f-ea34-4ad3-95cb-6e8a66c01641/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious Packer

Malware family:

Malicious Packer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/04a53058-2be3-4785-ba03-8c6a2f306bdb

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1265542

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6/

ReversingLabs TitaniumCloud Win32.Spyware.RedLine

Threat name:

Win32.Spyware.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-03 06:19:07 UTC

File Type:

PE (Exe)

Extracted files:

27

AV detection:

21 of 23 (91.30%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m6ggnhywngcnvvfmwh4256rm4xfbitmtduq7hzeodio6fpwxr3da._file

Threatray malicious

Verdict:

malicious

Similar samples:

34e786b9788e2c0e8626bfdcf63d8452f9a828cc8ce4638b1097a706ba3d99c5

RedLineStealer

8907dec2999775bb017857e6f596781b527233221e341be1f8cf4ccc6dcf4210

RedLineStealer

95084eb619f87c93ad143700f298dc5525c2a0520c308b69411518a9754dc3a5

RedLineStealer

95a09a2609d838abca7d4c252fe9fa44a337901810b2db2945673726ffc36b66

RedLineStealer

aad595b3ee9f1972b20a8b76dc2fe9ed42c311edce0988fb984292cc7398db96

RedLineStealer

dbe7771525ffc7afbc1df1b0bc6c723f7022fd194cdb8042bead2f63eb3780c4

RedLineStealer

fb77c72161a3885499d305cc95dd95a28426a5cf549fdfcbfa2b95c632171e41

RedLineStealer

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230703-g27hesfa47/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

UnpacMe 10

Unpacked files

SH256 hash:

e40d869c584136f073b23a1e35a3632b51024704a8836465a1ef14a6893c8290

MD5 hash:

2181ff0453146090efdc301dd36fbf67

SHA1 hash:

ee2f028b8b1b4c2ba6f3dc732e72e918285ef635

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

e40d869c584136f073b23a1e35a3632b51024704a8836465a1ef14a6893c8290

MD5 hash:

2181ff0453146090efdc301dd36fbf67

SHA1 hash:

ee2f028b8b1b4c2ba6f3dc732e72e918285ef635

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

e40d869c584136f073b23a1e35a3632b51024704a8836465a1ef14a6893c8290

MD5 hash:

2181ff0453146090efdc301dd36fbf67

SHA1 hash:

ee2f028b8b1b4c2ba6f3dc732e72e918285ef635

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

8acee876375e9e139f2c4b805142acc00566e7d35b47d192395a8bd34e94636e

MD5 hash:

c0766de0a38b7d3489800a1e2214f9c2

SHA1 hash:

312b9a946022f0654b5d65c3ca80e688ec8f14ec

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

95bcf6d38f4836fa5ffa8ef3780d5a6589b00cb99fc834eea774334ddf6864b5

MD5 hash:

7aced252e230592bfe5835e2ea2429bd

SHA1 hash:

0e7b3d44f6ed9c3cbc5530e4a5e626a4824522d9

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

SH256 hash:

678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6

MD5 hash:

aef023fe3a4cdd390e4098d2d5923ffe

SHA1 hash:

38ef5325158e5e64e9772b5cf0c682a9a370aa6b

Link:

https://www.unpac.me/results/777ea1f7-34f4-4ecf-8527-87bc4d3cc476/

VMRay RedNet

Malware family:

RedNet

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/678c669f1669/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 678c669f166984dad4acb1f9aefa2ce5ca144d931d21f3e48e1a1de2bed78ec6

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2670388/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/405694/