MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981
SHA3-384 hash: bf8fef7e01990ea7a59b273f545c6117f1107ae021eeb127bc856d3301a2f8fca84e8076168a86c7abbd682ba73a5850
SHA1 hash: d0f50ef3402295dec4cd0dbdefc6e041b0cc854b
MD5 hash: 5ee187036dfa9186004738b99c2b178f
humanhash: neptune-march-november-virginia
File name:5ee187036dfa9186004738b99c2b178f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:612'864 bytes
First seen:2021-09-21 19:26:19 UTC
Last seen:2021-09-21 20:09:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98349bc8fa025f57a9d49df3092c15be (10 x RedLineStealer, 2 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 12288:cXQIrK0zEDXswNYUpVhAWdJXNw2otMQtHuCG8RgSA5EBaw:cXQIrry8wbVN0G6gb+1
Threatray 730 similar samples on MalwareBazaar
TLSH T1AAD412413590C6B5C4A346317B30E6E1BAB7B92259B783473712662DEF302D0BB7637A
File icon (PE):PE icon
dhash icon 327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ee187036dfa9186004738b99c2b178f.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 19:27:00 UTC
Tags:
evasion opendir trojan rat redline loader stealer
Link:
https://app.any.run/tasks/e13e26f4-8491-43cd-90e5-90e37995feb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLineDropperAHK
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189977/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5675.25193.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f1c32ec-a382-4219-befc-2c79fd772de5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855175
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Autohotkey Downloader Generic
Yara detected Evader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981/
Threat name:
Win32.Ransomware.LockbitCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 16:16:33 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
87686e5d836a7761ce31744a990c6229266695e7462a5d88f31b2a8ffe748e4a
RedLineStealer
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
RedLineStealer
90bfa7cac8c7e702b3704b49fba7fb4976b19dcfde7651bd27061efccc850c1d
RedLineStealer
94124291eb97249c0ebb5ab9af54795543efd7661d4b107df1b230d7378683c8
RedLineStealer
9b009a24ed2022a348e82514b039cea11b468365e0cf58ae5bb217fc3c391493
RedLineStealer
a23667dadeb0b55f452380e7e837e856a9e7df5b4bf6211b2314e55f1105ef1e
RedLineStealer
bd7c41dee6aba2b2d13e5ae39169242ed463a43366eec28a438f74db717d15f4
RedLineStealer
cafacec99af0e63fe0fdd8b519d4947fe9b9e12587bb18b10151f3fd8ce20f63
RedLineStealer
f81b0ee364ffb419c8af7bdaf03670bb7fa7dec30aa1d6f486e7a8157768eed2
RedLineStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
RedLineStealer
+ 720 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:21.09 discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210921-x53xeadahq/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
185.215.113.17:48236
Unpacked files
SH256 hash:
ad3261564eefaaed387fa30c95d6bca14c4b61b07d8b8022fd9ee2e7c73325b8
MD5 hash:
34ff1c9b00578927310ccfecdcd2a649
SHA1 hash:
a181f05233005c6a9f33c60526629b8b36994c75
Link:
https://www.unpac.me/results/98967ca6-15f1-47f0-aed8-d22b4059e2a3/
SH256 hash:
6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981
MD5 hash:
5ee187036dfa9186004738b99c2b178f
SHA1 hash:
d0f50ef3402295dec4cd0dbdefc6e041b0cc854b
Link:
https://www.unpac.me/results/98967ca6-15f1-47f0-aed8-d22b4059e2a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638538/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189977/

Comments