MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
SHA3-384 hash: 31512488c8702298c2fd7c1fa68a830720ef07d0ae987e8c5fc872ff9d56007e458ddb6fee691fa7f257b4612041109e
SHA1 hash: bbf255f3d77886ed47c13bcd7cf0a0c436bd5723
MD5 hash: f26f6a3da57f960505ee5689ba0767a7
humanhash: uncle-bulldog-emma-artist
File name:f26f6a3da57f960505ee5689ba0767a7
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:378'880 bytes
First seen:2023-07-20 08:10:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c1d6f07319e916f23334deb261840fd (5 x RedLineStealer, 1 x Glupteba, 1 x Amadey)
ssdeep 6144:f0T/LcgQT8S7kZksQz2P40g/oW1SFv4NaAEbzS:fs/AD346LK9gQXx4NaJzS
Threatray 148 similar samples on MalwareBazaar
TLSH T145840A83C7B23D59E9278B729E2FC6E877CDF6508E49377D12199A2F00B0276D1A7610
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0008100808020000 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f26f6a3da57f960505ee5689ba0767a7
Verdict:
Malicious activity
Analysis date:
2023-07-20 08:19:02 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/7f42f673-4419-4bd5-bb81-63027113830b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425906/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b8ec31fd9e198dc1166a7d/reports/6f32da98-c208-49b5-a349-4e9474cca5f6/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0ee07f9-29fd-46db-8571-21cdff5781c0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276550
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276550 Sample: IEDutEEmaj.exe Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 9 other signatures 2->96 10 IEDutEEmaj.exe 15 7 2->10         started        15 AppLaunch.exe 2->15         started        17 MTA1.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 72 178.32.90.250, 29608, 49698 OVHFR France 10->72 74 transfer.sh 144.76.136.153, 443, 49699, 49700 HETZNER-ASDE Germany 10->74 62 C:\Users\user\AppData\Local\Temp\123123.exe, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\Temp\123.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\...\IEDutEEmaj.exe.log, ASCII 10->66 dropped 112 Detected unpacking (changes PE section rights) 10->112 114 Detected unpacking (overwrites its own PE header) 10->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->116 118 2 other signatures 10->118 21 123123.exe 1 10->21         started        24 123.exe 14 67 10->24         started        file5 signatures6 process7 dnsIp8 98 Multi AV Scanner detection for dropped file 21->98 100 Machine Learning detection for dropped file 21->100 27 AppLaunch.exe 2 26 21->27         started        32 WerFault.exe 24 9 21->32         started        34 conhost.exe 21->34         started        70 127.0.0.1 unknown unknown 24->70 102 Query firmware table information (likely to detect VMs) 24->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->104 106 Tries to harvest and steal browser information (history, passwords, etc) 24->106 108 2 other signatures 24->108 36 chrome.exe 24->36         started        signatures9 process10 dnsIp11 76 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 27->76 78 185.159.129.168, 80 ITOS-ASRU Russian Federation 27->78 82 4 other IPs or domains 27->82 68 C:\ProgramData\...\MTA1.exe, PE32 27->68 dropped 120 Suspicious powershell command line found 27->120 122 Creates an autostart registry key pointing to binary in C:\Windows 27->122 124 Uses schtasks.exe or at.exe to add and modify task schedules 27->124 126 Adds a directory exclusion to Windows Defender 27->126 38 powershell.exe 27->38         started        41 schtasks.exe 27->41         started        43 powershell.exe 27->43         started        45 schtasks.exe 27->45         started        80 192.168.2.1 unknown unknown 36->80 47 chrome.exe 36->47         started        file12 signatures13 process14 dnsIp15 110 Adds a directory exclusion to Windows Defender 38->110 50 powershell.exe 38->50         started        52 conhost.exe 38->52         started        54 conhost.exe 41->54         started        56 conhost.exe 43->56         started        58 conhost.exe 45->58         started        84 www.google.com 172.217.168.4, 443, 49516, 49719 GOOGLEUS United States 47->84 86 plus.l.google.com 216.58.215.238, 443, 49724 GOOGLEUS United States 47->86 88 apis.google.com 47->88 signatures16 process17 process18 60 conhost.exe 50->60         started       
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 08:11:06 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngsbwqq3bke6sgs33izldwflobt47iouqqjuom7vuk3dkxwzajnq._file
Verdict:
malicious
Similar samples:
0600905449ba9b91c459bb4cb2859d8b33062475fc568930c15931f7fba4e5b2
RedLineStealer
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
3585046470ceeba22fea4a341e6a1b8998d43b4a0a53450747ee361c0c56f770
RedLineStealer
3d9868ef3b6c60ebe9ef766672923f57253ac74cd5bc2592e2d62bb984b5f95d
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
aaf09dfbee099f00c96d0cc72a4d5c9ac8101522eb43159c7a94ebdc221f69d4
RedLineStealer
c17f2f54fc2cefba56ff8d26c44fd63d71a015ee621aead29b7ca9bb7a0cb856
RedLineStealer
cfb31b24488df4fe68b547bc9a28f994e67191749f8c76dc07a6f25f48475287
RedLineStealer
eed4aae9bac8170a1629ffc3176a04f0ea9e58de8cb295a1332952b6afb3cf46
RedLineStealer
f46b5b289501e88dc89c7d8daf37156459bcacebceaff3af7718190384546dbd
RedLineStealer
+ 138 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/230720-j29znaec3s/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Malware Config
C2 Extraction:
178.32.90.250:29608
Unpacked files
SH256 hash:
fd7fcb15664a8d6b15f986edf7b1b89ac04fd0b7e2c75ba51f2d7be2b16bd25e
MD5 hash:
226ebe2b896adda7d7ca7808c7830e79
SHA1 hash:
dbc7a3619f3ae0e77d983718ddf7447ff9aa2e0c
Link:
https://www.unpac.me/results/0bb5c6e3-7a64-45f8-8034-f80525f251f2/
SH256 hash:
055d23615d232b3b26dce994eb4e011505be13199c97610974f011bba0adc805
MD5 hash:
84fdf79fc25c72aa2a12972d25e8476b
SHA1 hash:
72288d6450b272481eb9a606367f7ee848427f98
Link:
https://www.unpac.me/results/0bb5c6e3-7a64-45f8-8034-f80525f251f2/
SH256 hash:
6b50f48dd61d0e8af9d39ec9c4326a28cd3298e8b336bfdd5c81cd3db2bb1e54
MD5 hash:
c5634c071c4a20379d58bf9e5f4d9a8c
SHA1 hash:
3c5e48ad01611b0c79b204ec398c9b3d8a30a21e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0bb5c6e3-7a64-45f8-8034-f80525f251f2/
Parent samples :
d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2
SH256 hash:
6178ca1d58de3919bbb2953d0571abab36e10d95f83624ec6cd174b1d29aade1
MD5 hash:
92466a9033e3c20a4a960a352ddc1781
SHA1 hash:
35716bf3775bd1662e9359d74fbcbcfcc8427709
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0bb5c6e3-7a64-45f8-8034-f80525f251f2/
Parent samples :
d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2
SH256 hash:
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
MD5 hash:
f26f6a3da57f960505ee5689ba0767a7
SHA1 hash:
bbf255f3d77886ed47c13bcd7cf0a0c436bd5723
Link:
https://www.unpac.me/results/0bb5c6e3-7a64-45f8-8034-f80525f251f2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69a41b421b0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/425906/
  
URLhaus
https://urlhaus.abuse.ch/url/2686296/

Comments