MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6db1a39fbc95ebaab84889186389ee4684db1e2798fab1d72c166f42867ae81c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	6db1a39fbc95ebaab84889186389ee4684db1e2798fab1d72c166f42867ae81c
SHA3-384 hash:	eb96a5abb2e5dcd44cd36e35a366e3da94ab9578aaedaa5651659c6d9459b877dda8f02457644015765153fdcce1be67
SHA1 hash:	adcce73129cd39baa829f6012cf17e12d2fd7b82
MD5 hash:	316b24f4626fc6428baf85c552deba7d
humanhash:	mexico-cat-illinois-carbon
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'490'368 bytes
First seen:	2022-10-31 13:40:21 UTC
Last seen:	2022-10-31 19:20:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	db35ea5c80fc8389ab141cd45083bdd3 (17 x RedLineStealer, 1 x RecordBreaker, 1 x DCRat)
ssdeep	24576:+yq/Z7YrYFuocHNMMtTQaPcMy7Mn4Vxvohrg1cGRd8LrsaAGjf4ApBIgAGSZAugm:+yq/0Vi9ohM1cGRd8tOgtSAVd4M/NQSo
Threatray	2'638 similar samples on MalwareBazaar
TLSH	T165B5CF2AEB8629F4D9179771856EE77797187A148132EB3FFF8EFE04A0330163849152
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Intelligence

File Origin

# of uploads :

121

# of downloads :

499

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-31 13:42:44 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/27acf14d-b236-472a-a9f2-e9f5c82e0f5f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/326438/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.31680.31024.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the system32 subdirectories

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47015/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm packed

Link:

https://www.filescan.io/uploads/635fd06f762855ef2d76e65d/reports/ef0803e9-065e-45c2-af7a-d9019b1a4858/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a522657d-a9ed-454d-a9c7-b265d00cc6f7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1101720

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6db1a39fbc95ebaab84889186389ee4684db1e2798fab1d72c166f42867ae81c/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-31 13:41:12 UTC

File Type:

PE (Exe)

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nwy2hh54sxv2vociremghcpoi2cnwhrhtd5ldvzmczxufbt25aoa._file

Verdict:

malicious

RedLineStealer

24cf11995f5f8ac963f3d85db42715e41322dce88ebf556ae2130e5e48424389

RedLineStealer

3638139041a60318ac7bd1e4f1789498c246283a232a784d50ac347281928b96

RedLineStealer

3a3538c69497117eed0c401d2885cc81f48caac0074846296251696ecc7c39a7

RedLineStealer

3ed50b2d4f853d9738a1f4791a2c9dfc2fe7c98f20fc91ae03eab5cff887509e

RedLineStealer

6d7ed06fdeb281dd5e23352b2a13ce1de21fce4c15434a6f429fc3e9f01056cd

RedLineStealer

76b2a3865b39346b400bec0b19468abf38bcd337b100425bd2a1640d999e5d5a

RedLineStealer

a61f119e5e68c51c61950e3331664b8886a6b0ce19ab0cab38c0546c2b4b5db5

RedLineStealer

ebf49457b99b011c02fb02aced3f045ba270b60b60927b7e4dc0134b8ac02897

RedLineStealer

+ 2'628 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1310 infostealer spyware

Link:

https://tria.ge/reports/221031-qy4rssbag5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.57:48771

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/df707c5f-c95e-4524-a0a0-d1b07c8f1738

Unpacked files

SH256 hash:

083f470d3033f11132c0111237c7c18d4bf6190104f1d8be372817f12d94ecfa

MD5 hash:

99ccadb89164ad00981bffc97c899a6b

SHA1 hash:

6db66a7459e78d2e7613781ed8e50f265b713609

Detections:

redline

Link:

https://www.unpac.me/results/de7d2de8-c78f-4966-a66d-29830ec10aa6/

SH256 hash:

6db1a39fbc95ebaab84889186389ee4684db1e2798fab1d72c166f42867ae81c

MD5 hash:

316b24f4626fc6428baf85c552deba7d

SHA1 hash:

adcce73129cd39baa829f6012cf17e12d2fd7b82

Link:

https://www.unpac.me/results/de7d2de8-c78f-4966-a66d-29830ec10aa6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6db1a39fbc95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6db1a39fbc95ebaab84889186389ee4684db1e2798fab1d72c166f42867ae81c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/326438/

URLhaus

https://urlhaus.abuse.ch/url/2378332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample