MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56
SHA3-384 hash: a082d9f8e34de897072eb620bc36ec1a5b83070fe16e024dda072a065574e9f8814cda05b86c370775eb1f2af8888816
SHA1 hash: b45d4e410abff1ab9fcdd31a3d7778d9f9ad3b18
MD5 hash: 82333e8388884ed07a8104b1da402b34
humanhash: equal-cardinal-undress-butter
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:420'352 bytes
First seen:2023-07-27 13:04:29 UTC
Last seen:2023-07-27 13:54:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a5494563fbba88cb05fb13a72779b2e4 (2 x RedLineStealer, 2 x LummaStealer, 1 x Gozi)
ssdeep 3072:GeL7M9/t9Gfz045atvpUYWvyjk7CBOJbQS6w1/h5C/ahaORqmkrhOzM5b9ImJThd:PM9rGfg1tBKSO9uMP83dhOMbSUsvCfP
Threatray 271 similar samples on MalwareBazaar
TLSH T1A8948E0392D0FD55F5224A728E2EC6E8761EF9928F1977A622186E2F04B32F1D373715
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70c0dcd0d0d9d2dd (1 x RedLineStealer, 1 x GCleaner)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://87.120.88.198/g.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-27 13:07:36 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/bce39e9a-a557-4f3d-9a86-be1f357b7d34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434795/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.10368.17230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64c26b7fd6da59d001ad9bef/reports/45e7455c-b844-4399-98cb-8eb25658e519/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/332f0917-c7a6-45a7-950c-ad955d77f60a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281172
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 13:05:05 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxngy3s7sj6ejg5s4n2i5kutfgvlhrwd7h2uxpnpr5e5gp4ejjla._file
Verdict:
malicious
Similar samples:
00fc3bba8814fea6dd4c9b78ae51876f5e6a213ca7919451253008330160aba2
RedLineStealer
17b06b8cdf3b99754409988f579971fa396ad1807570143818ef5c0c532dd86d
RedLineStealer
36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6
RedLineStealer
680fa23ffd5f8185eb50f54932becc71d2d3b51b39033f853c4ea2e8737e34f0
RedLineStealer
718034f9b541fdf7866851cd4ced6b406e07952944717e4291b38e75ac763e12
RedLineStealer
b824349984caaa7351d0c62a0b04e0ff3412834c24e7f9f29e9c1459c525ccb1
RedLineStealer
e54412bc24512c26b03a502256ba54730489e38d5a18adaf594dd8f5efc9665d
RedLineStealer
febd6964bdd7f4d619fa5b9fa4cab9664544370704d3cf04976eb8c520825c2e
RedLineStealer
+ 261 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@germany discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230727-qbhaaaef73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.26.135.162:2920
Unpacked files
SH256 hash:
bf0c40ace850af22ed499c3b0504249f65d43d24479a52a92ed0995b58513c15
MD5 hash:
f4068130a33c503eecbe9f9dd27f4237
SHA1 hash:
c796ac46069d75b6858c30c4178dcdfd470b4122
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5d6ec53b-584f-4ae3-97a6-5ef1de21051c/
Parent samples :
54347c92b3f40ffb6e06b6c2491094dd9a35c84a2eeb09ec15e20ba0b69e1cd5
0cf5912e01d61db285fb01b7b04971117fae86129a583cce83aee5482e844c19
4b821e183fd57320849d7999495a583e0a74ee4bcffd59daefae37534f736393
25223dcb5c58948525d07a527f3d60b9ac1d5066f158ca0dd9cfcdde0570f9ed
116b4fa2541f40e452d7aa04de03095d97a8fcb5d2f118ec60b112e228d42062
27939e0c5b1fe6f52d27e4bc1fa21b9e20837e0aa4a7d6a12a8564fcc8928106
dcbfe3857cc6ba5394a223008422349ca296cc676f7f60618b0b3cc67f7a5597
df282ea63eecaa2e3e46c39748f5a2be5e885cdcf0d857258b13957808ecdb52
da29c485d19eaa1e567d555db19a7bb5a5e74df17be79f7817a42c0cca1566ff
f5e4e57c0c6b27846676f07828e2dc02837f03f83da2471701fbadea52fd742c
1f8f52ad901f6f1f77494997aeb7c94c4e8f6c031a170a92cf1d1eac5ef4a0bd
883e13b0ee3b095b37bf146fa5d4f0dc428bb68daca717e98f28c769cde5c7dd
09e1d06be43c59027f2315088f1c53cca84aae43489f9639f907de6e327d9628
718034f9b541fdf7866851cd4ced6b406e07952944717e4291b38e75ac763e12
febd6964bdd7f4d619fa5b9fa4cab9664544370704d3cf04976eb8c520825c2e
680fa23ffd5f8185eb50f54932becc71d2d3b51b39033f853c4ea2e8737e34f0
b824349984caaa7351d0c62a0b04e0ff3412834c24e7f9f29e9c1459c525ccb1
6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56
399139bc23966f9509eb7bcc58f880e52df62c293f800d704bff96e0b0e8d09f
edb1307f1fd091e464831bfc974dc7c4db9586095f3112a3bed99f5601213eb8
ee5754e39b22b6758e5d2b940a0cfc11835a80779073148028a6222a7e37e086
9fc1d2f4b0dcfa9ed31d874c579a1c486f2233a2303aad210102b8c2c8d9cf06
4eae100521922e9249c423378708ecc0d393502c68bfc3216dbf75ca0faef949
8d989a16837d23dd2fd12b69b133e43c2ae1bbb68b171736a75dd9af898b00a5
0712a4ddc18386e86ad4f2ae1d37ff55dfb1850cdad6d9c66162c58cd5048935
01b9ae05c0c5d50490c05aa2e2873b77a71792adf7c9fb0a1205780a70547192
SH256 hash:
7e26e19ba215af997b4333ae4559ed1ff66c192f505432f3d591a6198a5da1a4
MD5 hash:
3789167e4fa3fc3ecaae2e25c1d028d8
SHA1 hash:
30c80bdf39579995159d4b9d806216738a9e3f6e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5d6ec53b-584f-4ae3-97a6-5ef1de21051c/
Parent samples :
54347c92b3f40ffb6e06b6c2491094dd9a35c84a2eeb09ec15e20ba0b69e1cd5
0cf5912e01d61db285fb01b7b04971117fae86129a583cce83aee5482e844c19
4b821e183fd57320849d7999495a583e0a74ee4bcffd59daefae37534f736393
25223dcb5c58948525d07a527f3d60b9ac1d5066f158ca0dd9cfcdde0570f9ed
116b4fa2541f40e452d7aa04de03095d97a8fcb5d2f118ec60b112e228d42062
27939e0c5b1fe6f52d27e4bc1fa21b9e20837e0aa4a7d6a12a8564fcc8928106
dcbfe3857cc6ba5394a223008422349ca296cc676f7f60618b0b3cc67f7a5597
df282ea63eecaa2e3e46c39748f5a2be5e885cdcf0d857258b13957808ecdb52
da29c485d19eaa1e567d555db19a7bb5a5e74df17be79f7817a42c0cca1566ff
f5e4e57c0c6b27846676f07828e2dc02837f03f83da2471701fbadea52fd742c
1f8f52ad901f6f1f77494997aeb7c94c4e8f6c031a170a92cf1d1eac5ef4a0bd
883e13b0ee3b095b37bf146fa5d4f0dc428bb68daca717e98f28c769cde5c7dd
09e1d06be43c59027f2315088f1c53cca84aae43489f9639f907de6e327d9628
718034f9b541fdf7866851cd4ced6b406e07952944717e4291b38e75ac763e12
febd6964bdd7f4d619fa5b9fa4cab9664544370704d3cf04976eb8c520825c2e
680fa23ffd5f8185eb50f54932becc71d2d3b51b39033f853c4ea2e8737e34f0
b824349984caaa7351d0c62a0b04e0ff3412834c24e7f9f29e9c1459c525ccb1
6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56
399139bc23966f9509eb7bcc58f880e52df62c293f800d704bff96e0b0e8d09f
edb1307f1fd091e464831bfc974dc7c4db9586095f3112a3bed99f5601213eb8
ee5754e39b22b6758e5d2b940a0cfc11835a80779073148028a6222a7e37e086
9fc1d2f4b0dcfa9ed31d874c579a1c486f2233a2303aad210102b8c2c8d9cf06
4eae100521922e9249c423378708ecc0d393502c68bfc3216dbf75ca0faef949
8d989a16837d23dd2fd12b69b133e43c2ae1bbb68b171736a75dd9af898b00a5
0712a4ddc18386e86ad4f2ae1d37ff55dfb1850cdad6d9c66162c58cd5048935
01b9ae05c0c5d50490c05aa2e2873b77a71792adf7c9fb0a1205780a70547192
SH256 hash:
a2dcaa7e6a5dc08488f877b88719ebf1bfde81c42e4ac8a32a30cfd98b7f9e80
MD5 hash:
95f3a064db0e7e03247f011689203646
SHA1 hash:
104e38e3fab9e96cca5d0a6b130e3d539707c911
Link:
https://www.unpac.me/results/5d6ec53b-584f-4ae3-97a6-5ef1de21051c/
SH256 hash:
6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56
MD5 hash:
82333e8388884ed07a8104b1da402b34
SHA1 hash:
b45d4e410abff1ab9fcdd31a3d7778d9f9ad3b18
Link:
https://www.unpac.me/results/5d6ec53b-584f-4ae3-97a6-5ef1de21051c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6dda6c6e5f92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dda6c6e5f927c449bb2e3748eaa9329aab3c6c3f9f54bbdaf8f49d33f844a56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/434795/
  
URLhaus
https://urlhaus.abuse.ch/url/2675558/
  
URLhaus
https://urlhaus.abuse.ch/url/2685168/

Comments