MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7
SHA3-384 hash: 263906f28e1158b08303dffdf292186992e29a474ee776dd0459feaf7430e07904f318ad30cf85e505eeecd4677bb906
SHA1 hash: 1440168c4391194c6ca1734c98cf607e5963ea20
MD5 hash: 368c4ce6979e785101dffcd1aed9388e
humanhash: fourteen-uranus-angel-michigan
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'544 bytes
First seen:2022-10-21 15:53:44 UTC
Last seen:2022-10-22 06:06:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 83aec8d33ff1d2ed6e490bde788f9850 (12 x Smoke Loader, 10 x RedLineStealer, 5 x CoinMiner)
ssdeep 6144:CKfLFh6uQ9GsYSIV54ANMmKZ4qc6MHTqvMXHAQPBU1IBlRoz:CKf5h6b9GsoVyQsIcMXAQPs6R
Threatray 7'227 similar samples on MalwareBazaar
TLSH T16D740211B6C2C431CC17A9391024CE55AE3BBD3252B54E6B77987B2E5EB02D39E7630B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
dhash icon 70f0929092d6d070 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc32384019_646242782?hash=CI701wVWj9zhCsy4wSTdanUSoPawAqXxBvhZtbx6dS8&dl=GMZDGOBUGAYTS:1666365505:cr8I9F5davYPxoG3Z662lxk28azGzCgBLSR51MYhThD&api=1&no_preview=1#lau1

Intelligence

File Origin
# of uploads :
369
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-21 15:56:30 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2f781971-57e9-48c7-bfb1-673116c40f5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322345/
Detection(s):
SecuriteInfo.com.Variant.Babar.111863.10530.4363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6352c09efdf6478a15afb41f/reports/dd5cefbd-e011-46f5-bdb5-7cd83ce92526/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/871b5bca-273d-453c-9c47-dd24946cd79e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095046
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 16:11:42 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvklqp2z3znc5wp7ue74iddf7xxlyfgz4dbpsql7gjx4trml3p3q._file
Verdict:
malicious
Similar samples:
0d6b09a12fbd4549687911861b6d5713c195f207a67785240699ec14795b5406
RedLineStealer
40e43076c62a6462606c9318779dbd385fbc88bf9e6bfb199ddbadef10ad011c
RedLineStealer
716b591fa8d603b4b8aa3ae6e213e5c51ced9ae90ac6d1cd33c1d5545b8fb1af
RedLineStealer
9ec361b46ddb18fa93896469cf4f6499f1d976d08bea8bcbc33e2738aea0d9cf
RedLineStealer
a25e7096965a6cc95b9d352393dcfee78735c051cb08840d479ee5106474cdc7
RedLineStealer
af4e159a331de4586e272e8e01881dad17fe56ee168e2cffb9d192cd95bbdb26
RedLineStealer
d54ac4512ec628667e1824e1369727de79f9498dcd00bf7d0f83d9e13b5f39eb
RedLineStealer
d5ef538b968f2951b0018ac85e4a064690ddd9f4658d6095472367642e3d0816
RedLineStealer
f1c9dc77f406f186381bc88d7d5b3a92dc8145d62ac40b6632112ce252f7a606
RedLineStealer
+ 7'217 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:setup 2.523.975 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221021-tb73gshfc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
45.15.156.53:41808
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a48167f-7451-439e-9662-24895fcbe6e1
Unpacked files
SH256 hash:
6895b71fe1f16f41ce43046509898e0af0cfc477d8eb8a860c6296dcba9544bd
MD5 hash:
6f408aa98f4994e8ceed6338eac836a4
SHA1 hash:
74aa9a24b1816c75a476adf4cd79d960c4230c2e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7b89b056-b438-4b52-a3d7-f8c1197a67d6/
Parent samples :
9ec361b46ddb18fa93896469cf4f6499f1d976d08bea8bcbc33e2738aea0d9cf
6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7
SH256 hash:
867771864855196ec265fc21c54d24332c4edd3b54f610813075690314bfc047
MD5 hash:
c1d3e2a9f65b6ff1be006a052f0f0259
SHA1 hash:
2fcb1b7a944da71d2bf60ca5f77f27221d11be91
Link:
https://www.unpac.me/results/7b89b056-b438-4b52-a3d7-f8c1197a67d6/
SH256 hash:
0151fd8ed3a5e7877737ed8dfedc146117c239f63785efca50e6d576d9685212
MD5 hash:
db34175add6f2a46f8aaf04517519107
SHA1 hash:
2923f879de32dd09fbe7b3dd520621c970be8ff5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7b89b056-b438-4b52-a3d7-f8c1197a67d6/
SH256 hash:
6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7
MD5 hash:
368c4ce6979e785101dffcd1aed9388e
SHA1 hash:
1440168c4391194c6ca1734c98cf607e5963ea20
Link:
https://www.unpac.me/results/7b89b056-b438-4b52-a3d7-f8c1197a67d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d54b83f59de5a2ed9ffa13fc40c65fdeebc14d9e0c2f9417f326fc9c58bdbf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/322345/

Comments