MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
SHA3-384 hash:	7f47500dc15e2d0039085766cf79a87b8694a9112210a4a8d34e72a1240571b7ae83e6149f660ffc82ac6216c80cd601
SHA1 hash:	ddf32749cab4d8f9bd07d16980bb4e946bb75d6d
MD5 hash:	fff2f00fa9387530fb724fb44855b4f3
humanhash:	foxtrot-michigan-charlie-march
File name:	SecuriteInfo.com.Win32.RansomX-gen.18300.31131
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	359'424 bytes
First seen:	2023-07-23 01:26:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cfbfd8ca3fe61cf1ac99b7bb15f4a1e5 (4 x RedLineStealer)
ssdeep	6144:RVjX0ahHvBVF79h7r7AoAsn56ZvYrIJ9VW1NM:jjXdVvBVT5A65pY81NM
TLSH	T14774E02233F0D0B2D16356305831D6A16E7BB8B2773959CF77A41E7E5E70AD08A39362
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4505/5/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	321a0e6a80908000 (1 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Win32.RansomX-gen.18300.31131

Verdict:

Malicious activity

Analysis date:

2023-07-23 01:27:59 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/840e4222-22fb-46d5-ab5d-d7d130295b3c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/429479/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.18300.31131.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64bc81e62c2ccb709442e6b5/reports/36ace4b6-2cba-4b27-8777-63c8acd30bcd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3a594b8-b8be-41e7-b2ba-758358038df0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277833

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-07-23 01:27:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqo3pdlykefcnbu2bqlrsoloyakrx24x5v5kq2gsxouqstlhavsq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230723-bt375sch65/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

Unpacked files

SH256 hash:

fe2e6f04b777ad58b3aa60f3ae725613f850cd7f33c1b5cf412b3834289eb4af

MD5 hash:

00981eed9a174d47add5c077be3ce7ab

SHA1 hash:

ff8a981a094b4c5cea1be6671ede01e1f1e6c5fb

Detections:

redline

Link:

https://www.unpac.me/results/43a20c47-1a93-4051-b757-e8064cb9deb7/

Parent samples :

5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

SH256 hash:

72f33a98e88d0f17816c1ffdec17f74ed3b45582e7bfb9a7a97badde980a5583

MD5 hash:

c37db513789ef0b2e4cb7b5c613e2045

SHA1 hash:

fe22e822a3992e9e3fdb58d089b851a093c9a280

Link:

https://www.unpac.me/results/43a20c47-1a93-4051-b757-e8064cb9deb7/

SH256 hash:

95fd90ac54a23cc58162f72131d28c710e165286c3d42df4eec8a60a4cdc524b

MD5 hash:

741eb59c0a7d6e51ad6204088662709e

SHA1 hash:

d1270e8a99f43a1b1bcff9ee293472513c9db28e

Detections:

redline

Link:

https://www.unpac.me/results/43a20c47-1a93-4051-b757-e8064cb9deb7/

Parent samples :

SH256 hash:

d14a6bc260e69c17d5116aaf1550add0073a4530b12b74e5aff401cc7dae306d

MD5 hash:

d2f632d0f06158afdb609edc4cdce942

SHA1 hash:

adfa06207dc106a83b68bd958e5300874cc896cf

Link:

https://www.unpac.me/results/43a20c47-1a93-4051-b757-e8064cb9deb7/

SH256 hash:

6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565

MD5 hash:

fff2f00fa9387530fb724fb44855b4f3

SHA1 hash:

ddf32749cab4d8f9bd07d16980bb4e946bb75d6d

Link:

https://www.unpac.me/results/43a20c47-1a93-4051-b757-e8064cb9deb7/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6c1db78d7851/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/