MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18
SHA3-384 hash:	d608c0c35cc73d21c0fd846ab9b358b2d6a979f89552079d1df2c21ed2ce1251655b3b6279292bb658af92dfb27f0c6c
SHA1 hash:	f65589e9a217e84b6154b123eade77b521307968
MD5 hash:	92ffea5ce8b84d5691d98f1accb68a1f
humanhash:	stream-utah-minnesota-vegan
File name:	file.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	374'784 bytes
First seen:	2023-06-03 06:29:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a52b903201b2b26f84fa5c505e01f1fe (1 x ArkeiStealer, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:wYLwRcNDPS57v61CFBLsf9cFipooOAOGWXZCYKeq:we0ct2Y1cFipojpCYKeq
Threatray	79 similar samples on MalwareBazaar
TLSH	T14B849E0372E07C24E6264B728E2ED6F8661EF9918F5577D726496F2F08B01A2C373706
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	436343630b130600 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2023-06-03 06:31:01 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/9c876a6a-dc04-438f-bb92-cb77792fa702

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/395070/

Detection(s):

SecuriteInfo.com.Variant.Zusy.470978.22025.6916.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89157/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/647addebc48ebe317433e7e3/reports/203920b0-9ebf-47cd-b7a6-ccd9cee6bcf3/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f95f50c-738a-4c7d-9e2f-fb45f2dcc284

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1248003

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-06-03 04:03:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ncyt4p7aqnyr7asp6tmtuqum7x4z3jn6kpmd4qnkjqwybe3wlqma._file

Verdict:

malicious

RedLineStealer

1e6feb0749b0cfffd2e085d364667c6040cf008a59b0831a74c82db2256055b6

RedLineStealer

28da267cd03efdfd51d9580f406b4e79549b535747817b1d285a549a247258b2

RedLineStealer

6e9f1b1fa3c2d1dd2a2a8d61258685c64ce1fb38a84ba281fa7c07d59225ef10

RedLineStealer

727df79548ea43456317931d6d2afdc98a84856bd1d6779c0dac4d4bc5d3c49c

RedLineStealer

9893ec0e2902925018922ca40cc3495001dec4ccd32137cc13566c74bd1438e1

RedLineStealer

9fe8b148afef5e54b88b76beeccaef42ae37b6387d38fcd8cbd7d509a9f90b40

RedLineStealer

a0e4515ee2de51f5ff5a41b03fd7e993f075c889f297d63143b1620cdcf9d9db

RedLineStealer

bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53

RedLineStealer

c45d9ba24cf0bfa06a2d725ab02811c96025418d7dab9e7644310e512f98ee2c

RedLineStealer

+ 69 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230603-g9ga7sgb8t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

adf7cd07b082ac02b8a83d4f0beb703b81ad8489b2c29f12c4c6f0535fb10ba1

MD5 hash:

dc1590054a644bf07329f2c54b377880

SHA1 hash:

ec36eb9e4269a4bfa6c86c2225a2055706c1b23a

Detections:

redline

Link:

https://www.unpac.me/results/87d8e07b-81a5-46da-990c-d8d398ad5e67/

SH256 hash:

ed0ede06623ec976a73d484da9166d6f5f20902dfc9973c2cff8c661a5b6de04

MD5 hash:

62c16ab1d6a9264cd125b1ce2ac9baac

SHA1 hash:

97941aeecb4ec137b4bb73b9fac3e18efb32a269

Detections:

redline

Link:

https://www.unpac.me/results/87d8e07b-81a5-46da-990c-d8d398ad5e67/

SH256 hash:

ec2bf1b6b8ede4d81bdccaf1ca31164d8264f0539b65fbc8ce2f791e82309a19

MD5 hash:

68d9584ac052b09cba44de95f9fac84f

SHA1 hash:

7c091778f6568e5e6b7601c5ea3425463e592099

Link:

https://www.unpac.me/results/87d8e07b-81a5-46da-990c-d8d398ad5e67/

SH256 hash:

68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18

MD5 hash:

92ffea5ce8b84d5691d98f1accb68a1f

SHA1 hash:

f65589e9a217e84b6154b123eade77b521307968

Link:

https://www.unpac.me/results/87d8e07b-81a5-46da-990c-d8d398ad5e67/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/68b13e3fe083/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68b13e3fe083711f824ff4d93a428cfdf99da5be53d83e41aa4c2d8093765c18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/