MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba
SHA3-384 hash: 2de6f2eaa53bfbd421e70ac0ec00cec6f4cd9fe2d600954de6d8e7453efab4c1b515c5da22d1972d888fd4348140eae6
SHA1 hash: 2bf4a38b8520d9c56d58b497486cffe1fc653652
MD5 hash: 7daab299fbfdef3d24f0aaf63d5129cd
humanhash: bluebird-cup-three-nine
File name:Order_Inv#54648.jpg.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:536'946 bytes
First seen:2021-11-26 07:44:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 12288:3w35dS4X8AnVqfvt3231ZwC69yKZD+bP139tKeLCjUbWO1+VuYZ:g35dPp43qeyHP13ygWamj
Threatray 1'071 similar samples on MalwareBazaar
TLSH T12DB4F1A276D2C032E52714305EBDA371FA79B9251B704947FFC10A2D7B32AE2D716392
File icon (PE):PE icon
dhash icon 23dca68ad8e4d423 (1 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_Inv#54648.jpg.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 07:46:11 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/7d3b3c88-0fc7-43e6-939b-fdcfa00ac34b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Adware.GenericKD.4628642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Launching a service
Creating a file
Changing a file
Delayed writing of the file
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61a09080b71ceed415313fac/reports/6f619cdf-c6c5-49b7-8e1e-655a3e8a20d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
EngWUltimate
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5061e85d-0e8d-4e28-94c3-849035e0ad51
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896519
Signature
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 07:45:13 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=np3sqfnxqmnjndlvpy7rmngqmuzleadr4kf43cxirvfciu37a25a._file
Verdict:
malicious
Similar samples:
1dc1c512bf8786c4cafd8c03835f96cccdd79e7e55b4a917b5527c52261cfbe8
RedLineStealer
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
RedLineStealer
47da94da37e3d742e3cd85e9746aa07752e9003fb7d63bb7d8bb6e0a0276d46b
RedLineStealer
49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a
RedLineStealer
9a8a699900f94843189af50d9aa633419301f768a156031751278fa079add7a5
RedLineStealer
a519b94cbb4c14b6fb3397c3220851ebf960fffe4f82360dbd4493bad0d38747
RedLineStealer
e2f0a2043a3d8ae1e3b6c3f156a410544c2336108b244dd2f9b77f2f9ede0a56
RedLineStealer
+ 1'061 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:slim discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211126-jld72sbbel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
8.tcp.ngrok.io:10757
Unpacked files
SH256 hash:
f457bcbdc318d1575900a3b2fd009d0959cb1a6e237cb6e3ede4c5520db4e82b
MD5 hash:
7e690fc3f63ce22151a16971482256c0
SHA1 hash:
d8aff39c6476d5a9c876075dc3e12135dc4586de
Link:
https://www.unpac.me/results/ba464876-402f-4ef8-afc3-76ba4262af0a/
SH256 hash:
5dc5ad6a8cc7cd1721a854c44cfca57243404d89d5cfeb60fdfc1a8ec2cba3aa
MD5 hash:
91f9634a8e890a3389fd89a634169fdf
SHA1 hash:
a3863858ec7c5b804072a73da5942d950caa5c57
Link:
https://www.unpac.me/results/ba464876-402f-4ef8-afc3-76ba4262af0a/
SH256 hash:
6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba
MD5 hash:
7daab299fbfdef3d24f0aaf63d5129cd
SHA1 hash:
2bf4a38b8520d9c56d58b497486cffe1fc653652
Link:
https://www.unpac.me/results/ba464876-402f-4ef8-afc3-76ba4262af0a/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6bf72815b783/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209601/

Comments