MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de
SHA3-384 hash: 0e1b025226a429a699109c5d7fe5c73f83427229c700368e38961b4751ff31317fda60004594519ec1a06c04808e0964
SHA1 hash: c06b2308a2220f988e62d85c3468286ddbcd1821
MD5 hash: 7d873ca398be294081a7721ffaaef150
humanhash: minnesota-helium-sink-east
File name:7d873ca398be294081a7721ffaaef150
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:418'816 bytes
First seen:2022-06-01 18:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 618762d2b048464f52e2c5fa0ff53903 (1 x RedLineStealer)
ssdeep 12288:lINb0DiZToxJ9Z8WWEfzwpJ2J/DDSIGMWl:eNMiCXTWMcpIJbDl7Wl
Threatray 5'229 similar samples on MalwareBazaar
TLSH T16294CF00BB90C435F1B712F449BA976CB93FBAB1672481CB62D516EE1638AE5DC3170B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 720c1e062a32168e (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.56.106:41557 https://threatfox.abuse.ch/ioc/645718/

Intelligence

File Origin
# of uploads :
1
# of downloads :
741
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7d873ca398be294081a7721ffaaef150
Verdict:
Malicious activity
Analysis date:
2022-06-01 18:57:11 UTC
Tags:
redline
Link:
https://app.any.run/tasks/4cb0210c-0c41-4048-8f09-49ec0e1be06e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276170/
Detection(s):
Win.Ransomware.StopCrypt-9950822-0
Create hunting rule

Win.Ransomware.Stopcrypt-9950931-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0eef8f9-0f52-43ea-a42e-d6d0f038d154
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005301
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de/
Threat name:
Win32.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 15:16:01 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m77t2bl642lckfn6nehklexij6qikmbmdckmbmt7sxuvvyp2utpa._file
Verdict:
malicious
Similar samples:
0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a
RedLineStealer
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
RedLineStealer
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
RedLineStealer
67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de
RedLineStealer
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
RedLineStealer
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
RedLineStealer
+ 5'219 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:june 1st 2022 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220601-xgbs1sbbe4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.56.56.106:41557
Unpacked files
SH256 hash:
8f39cc4d4ca081d4bb0d52efe47fb3250a519f5cdc5b8cbda0c1fc82a6512491
MD5 hash:
3caebfe638ef3149ef90239fa3e8c332
SHA1 hash:
048aa9e644fa55c399bf2e795dd97d7e42a52cbb
Link:
https://www.unpac.me/results/8347fb17-f175-4396-8cf2-850f1316c827/
SH256 hash:
234d493d82f16989df917284f8b147798c8e72c65dddc1321b79c36e2eb76e47
MD5 hash:
cb2b65fc52d786097df139f2e95d7a1c
SHA1 hash:
13912b350384b4e58cddbe3a112096362f2fe47a
Link:
https://www.unpac.me/results/8347fb17-f175-4396-8cf2-850f1316c827/
SH256 hash:
9c18d219c940a2c51bd8c9806ce0ae3000b19c2b70fe2a37ecc92d4ee73a0d61
MD5 hash:
18a164642c39532dbf4e6023097a5bf3
SHA1 hash:
c369514ffc78248682b308a52a2ca56a3fb769fa
Link:
https://www.unpac.me/results/8347fb17-f175-4396-8cf2-850f1316c827/
SH256 hash:
67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de
MD5 hash:
7d873ca398be294081a7721ffaaef150
SHA1 hash:
c06b2308a2220f988e62d85c3468286ddbcd1821
Link:
https://www.unpac.me/results/8347fb17-f175-4396-8cf2-850f1316c827/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67ff3d057ee6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 67ff3d057ee6962515be690ea592e84fa085302c1894c0b27f95e95ae1faa4de

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2220838/
Cape
Cape
https://www.capesandbox.com/analysis/276170/

Comments


Avatar
zbet commented on 2022-06-01 18:49:00 UTC

url : hxxps://boji.nl/wp-admin/june/NormalisedGravitated.exe