MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70958bc9ab26e3c2f8bacacfcf29970d250a62b57426146241961a0ce3d92397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70958bc9ab26e3c2f8bacacfcf29970d250a62b57426146241961a0ce3d92397
SHA3-384 hash: 6b4386dcd26540bf65ae25f23865433135286d9deaebd56db672e2b60ca5d6cf671b5d68925ee02c2aeb22cf4859e73b
SHA1 hash: 775be30f04f424e65ccb34270b48deab9bec9b45
MD5 hash: 0fa7a0b88ddcb3f10416e539eacbf271
humanhash: asparagus-eight-tennis-freddie
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'684'224 bytes
First seen:2023-07-14 14:59:24 UTC
Last seen:2023-07-14 23:30:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:laKOa3iGNuEuPCLxPztGRrDcQUBoIw9vOCxeQAg4wDoeyrS1N6y:4daS8uEOCLxBGRrPUyIuH4g47eyrS1X
Threatray 1'377 similar samples on MalwareBazaar
TLSH T1464622B4B1B2D6C8DA304CB8D4863642E3B3A71D513055DDA74E7A0AF4E67E1248F72B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f0f894cce87130 (1 x Vidar, 1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc808950829_664264289?hash=yZ9u0ZEKOviyvwlNpemsySe7DZPFhla0gRS1Wqm4h0w&dl=OhZeX5my1WPsFf73oE6StLDtWz74c8ziG8iMJw4ZKc0&api=1&no_preview=1#124

Intelligence

File Origin
# of uploads :
16
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-14 15:01:35 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/dbd0101a-fb6b-40ba-9302-d199ed1843ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/419243/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15216.19033.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed stealer
Link:
https://www.filescan.io/uploads/64b162f557d1eb6a904fd870/reports/894f52d7-d8c4-429c-94d1-1d2662f12510/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/70958bc9ab26e3c2f8bacacfcf29970d250a62b57426146241961a0ce3d92397
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b77fc009-4ce2-4fbb-96e5-ac78ef37f18e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1273273
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273273 Sample: file.exe Startdate: 14/07/2023 Architecture: WINDOWS Score: 64 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 5 other signatures 2->57 8 file.exe 3 2->8         started        process3 file4 45 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->45 dropped 47 C:\...\FileZilla_Server_1.6.7_win64-setup.exe, PE32 8->47 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Injects a PE file into a foreign processes 8->63 12 vbc.exe 4 8->12         started        16 FileZilla_Server_1.6.7_win64-setup.exe 26 67 8->16         started        signatures5 process6 dnsIp7 49 185.46.46.130, 34154, 49681 PRANET-ASRU Russian Federation 12->49 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->65 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->67 69 Tries to harvest and steal browser information (history, passwords, etc) 12->69 71 Tries to steal Crypto Currency Wallets 12->71 37 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 16->37 dropped 39 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 16->39 dropped 41 C:\Users\user\AppData\Local\...\System.dll, PE32 16->41 dropped 43 20 other files (none is malicious) 16->43 dropped 19 sc.exe 1 16->19         started        21 sc.exe 1 16->21         started        23 sc.exe 1 16->23         started        25 2 other processes 16->25 file8 signatures9 process10 process11 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70958bc9ab26e3c2f8bacacfcf29970d250a62b57426146241961a0ce3d92397/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-14 15:00:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ockyxsnle3r4f6f2zlh46kmxbusquyvvoqtbiysbsynazy6zeolq._file
Verdict:
malicious
Similar samples:
3894def25b5585e3cba4bc8ce4556d5d93a349deee528a128c839760c155c5d1
RedLineStealer
3d9ff047118451feee7311190c00d05d95209c6b1e707ce18abe065017b845b8
RedLineStealer
6dd1a8408e598604e40099415b555bb490cef19c9c096944f693bc0bea46a099
RedLineStealer
73a232f3b97846b0cda9708eb7781ca10f00c32c7137b97e84be70ce9f3c750a
RedLineStealer
7b40c4128a50bad16a3eaff13a76098cdb3f97cd9e5375df3473c173adbf37da
RedLineStealer
aa46c78978d744edae1170acdc7a518ff42bb02eba66a52724d46226b15c4633
RedLineStealer
b96d28c0c43a8bc8c124dfbd69b03e2ea83c698024a7bd4e3770a2465e425c44
RedLineStealer
e6dc45b261c3eb6b27fc2258f74d69bad8cf31059f051636f36d7352bf6b0c98
RedLineStealer
f432f9cb89ee9ea1704bf3d33c85f19483a4258f4277b126201930dff9d119f5
RedLineStealer
feb7a9aaa07a32e7d6431a818eda93f485ed2c382a65d38a15416598d1791260
RedLineStealer
+ 1'367 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:doz infostealer spyware
Link:
https://tria.ge/reports/230714-sdaz4afe7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
185.46.46.130:34154
Unpacked files
SH256 hash:
c91c61861cf22d1e9cd14dbba163573b2bd3d03dc72fcb1512879e4f3ab3b276
MD5 hash:
6b7073967487c24d08e88c208a1626fa
SHA1 hash:
f75f9dd095558b3c03b1647fe23c0869634bd9cc
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe
MD5 hash:
4c77a65bb121bb7f2910c1fa3cb38337
SHA1 hash:
94531e3c6255125c1a85653174737d275bc35838
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156
MD5 hash:
48f3e7860e1de2b4e63ec744a5e9582a
SHA1 hash:
420c64d802a637c75a53efc8f748e1aede3d6dc6
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
d9b7f654003b507a90abafa1599c2acdf4228aff1b10619d2dfac84f512eddfa
MD5 hash:
5eb8cddf9b69fef9a03e90ffda14af90
SHA1 hash:
45381559a2a30de3d286d30229ad49cc4a14a9d2
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
5ccaa8a07f20ab16d4a8f5ef0793ecf4c8f1db31f66d572c2f25e27cf153f085
MD5 hash:
760649aff40231a54d4e1dc7dc5ac1d3
SHA1 hash:
9ae992f40a40f91af2363fb3d7c8b1253e06e334
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
843acc4e79e177df59d2a7d93709939897380010e9420b82e5ed54db26a770c1
MD5 hash:
129ec78b5b0568f61b8ca8614b5b7c63
SHA1 hash:
0bcd8348020d549d23f96cd18b401c4ce1852755
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
1ece965ac1a7410c56c47532a43dd7e5b4db0263a8dca53f0554f7ff16003a8c
MD5 hash:
df3e949ba7901c3520698d403c7f1f5c
SHA1 hash:
6cd0bcdcd433cea81f90ecc1bf4e92e9a0d8fde2
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
SH256 hash:
70958bc9ab26e3c2f8bacacfcf29970d250a62b57426146241961a0ce3d92397
MD5 hash:
0fa7a0b88ddcb3f10416e539eacbf271
SHA1 hash:
775be30f04f424e65ccb34270b48deab9bec9b45
Link:
https://www.unpac.me/results/ef75c67c-7ab2-4323-bc4d-b1587419eed5/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70958bc9ab26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/419243/

Comments