MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4
SHA3-384 hash: 03fec146bfc5433d7664a5bde7a04b1b2be75e121f7384c27221c578f3d3f483482063866732ef3888db9c88d16b838c
SHA1 hash: 92cd1deebcb99ca6b92400a7ea428436bb3fef60
MD5 hash: 9756fac731a0fcf1c4c02e2784fac722
humanhash: comet-monkey-solar-earth
File name:69d80bd2a76850dc24f4a91c82ef60f998afc28644394.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:849'312 bytes
First seen:2021-06-08 07:09:37 UTC
Last seen:2021-06-08 08:11:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5RybhuhJ2bnVChiIRpClLbgxcxtC/a+OwStcpJIRMz:vYVHEpKQz/pOdc+Mz
Threatray 174 similar samples on MalwareBazaar
TLSH 9B05394A37E687D1EFEA4570E1B1565E0EAC6F6F2031E39C364830406B4AF476A856CF
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Symantec Corporation
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-09-08T00:00:00Z
Valid to:2013-11-23T23:59:59Z
Serial number: 66660552d465b31f429f7527ea6a93bf
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5a1cc4220a973075f646244dc41158337edb6bdb590cbfa5a66a4d1f03cb4325
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-06-06 00:41:56 UTC
Tags:
trojan evasion opendir loader rat redline stealer raccoon phishing netsupport unwanted danabot
Link:
https://app.any.run/tasks/3d4e5ae0-e057-4f62-88b8-eb8c7f044dea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165222/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37039925.18317.9516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/798579
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4/
Threat name:
ByteCode-MSIL.Backdoor.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 01:15:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhmaxuvhnbinyjhuveoif33a7gmk7qugiq4ufaqalpadjg7fkk2a._file
Verdict:
suspicious
Similar samples:
192896dbc7744f51c63044f4bf8a0fd260cc73ddcc84200161ce45b81c7e9e50
RedLineStealer
2453e8bd99f55b14f3034b2df97689a928074ed695cc498e3e0a50a3708ee3f9
RedLineStealer
37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd
RedLineStealer
50b298120d93f328fa5949eeb470a41ac0e846b28df37d46cb16c0beaa1b128e
RedLineStealer
5706101b5ffaf565a5690227f1c273b174eb2dcd3565904984a36be84eca6645
RedLineStealer
8134d920e8d1221419d02a05a2d99954f2681533dbb06895f3476fb655e73759
RedLineStealer
8645ba1b7632006a19223c7f307f618290c1a7c98fc6118d3b1dd9b2c46687f4
RedLineStealer
87af4b4ad9b0ae7a123dcf680c8e5727ed67814a46cfe38eca3fe771daafe112
RedLineStealer
d6dfe4aff30b87552b5d9c70c88c34a3eebdf2edfbe80f5c4f77472ef26bdec3
RedLineStealer
db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db
RedLineStealer
+ 164 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline
Link:
https://tria.ge/reports/210608-ed4a2y271a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4
MD5 hash:
9756fac731a0fcf1c4c02e2784fac722
SHA1 hash:
92cd1deebcb99ca6b92400a7ea428436bb3fef60
Link:
https://www.unpac.me/results/9d425b15-0897-4119-a004-f2a0c4c8edb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 69d80bd2a76850dc24f4a91c82ef60f998afc28644394282005bc0349be552b4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1290769/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165222/

Comments