MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff
SHA3-384 hash: 46d23305a7992e35ac81912ec6daf6018fe88b47f21dfc90017c4d1adf5ddc2bdf3e94eb34125a0972481fd76d3054c1
SHA1 hash: 50fba629bcbfa81994cd30e0fc4dbad2ea87d569
MD5 hash: eb1b1b1fc219887139f391cae06fe2ae
humanhash: mobile-earth-violet-bacon
File name:Price_Quote.bat
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:83'738 bytes
First seen:2022-10-18 16:20:54 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:LSwPd9e6q4nhNAXoKJ1tn5slRexN1cdz4294OoCUS8xQuDQ/Aj98U5FvK:22hq4hN5a1dGQxKP943dS8xQuk/AZE
Threatray 2'432 similar samples on MalwareBazaar
TLSH T1FE83E062A204DE6A0A74729F8FF5857983BC8CB344F5E3E46752761BC06C960AD1ECD3
Reporter 0xToxin
Tags:. bat Jlaive Redline redline54376876-duckdns-org RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff.zip
Verdict:
Malicious activity
Analysis date:
2022-10-18 16:30:11 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/ee4b343e-6052-4f1c-aae6-8de2e24c8302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321445/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62910128.13530.30416.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/634ed26f898b0652a4b8bfeb/reports/caf96bb7-4d75-4d55-b654-a6fcba171b77/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1092908
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames powershell.exe to bypass HIPS
Self deletion via cmd or bat file
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nw3sp525e2bhze3oqoabifyiyjnz36gdq2p3npp6dcm376kxqh7q._file
Verdict:
malicious
Similar samples:
1702558a8ae1cda0af628944914cf12a6dc360092b67395779e90450dd1bf64d
RedLineStealer
870a4cfc58c388361c8834701aa8112a0de4155305e92aedc66e0384813d3439
RedLineStealer
9ceef6a61f77d5e5c9d65e5eff7c2ede91cd236839c09830322faf841167a5e3
RedLineStealer
b26760b051260ea435c5c32f8e65cd200034495db040e58da7b453b3d57132a5
RedLineStealer
ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138
RedLineStealer
cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
RedLineStealer
d0fef87fd7e5a7214773deef4c445970147c88d5335867b552f9d4d22ef0231b
RedLineStealer
+ 2'422 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/221018-ttm52agdg8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/321445/

Comments