MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2
SHA3-384 hash:	f71143c427c1c3f9716deb7ad931c7988f2aa3faa38f4b0a08f28cc9da18e32efb235afd051c9c93dc984b326134373c
SHA1 hash:	40ecda475b8c4d5db90cd6b3e05026124f3a489c
MD5 hash:	91d5b8ca1d8b499ce35f96daac1de57c
humanhash:	five-harry-salami-lithium
File name:	lnjector.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'320'960 bytes
First seen:	2023-01-22 07:21:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:mCNkCDFtGXjJn2lXvNXz28D+orIvlviD10MsSV3gN7ep:HDTIjJ2/a8D+oUvpje3u7c
Threatray	1'290 similar samples on MalwareBazaar
TLSH	T17F55E73526C352B4C4A89E30A63850E413FEB75FBB02CF6E24540AD9FF2129757225BE
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	e0c8ccc6c6c6c0e0 (3 x AsyncRAT, 2 x Formbook, 2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

lnjector.exe

Verdict:

Malicious activity

Analysis date:

2023-01-22 07:22:01 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a8eb2b08-7b17-4a5d-b70d-24fe08015e60

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/355546/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Launching a process

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63cce41b1c9cbf7d62514808/reports/ee00d839-9425-4bb6-af26-7c3f17bf9499/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c2f804aa-c8d8-4c0b-a598-952774824685

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1156437

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2/

Threat name:

ByteCode-MSIL.Trojan.Zilla

Status:

Malicious

First seen:

2023-01-22 00:57:45 UTC

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=octn72mfbwk3usxugfpte7f4pai2ipwkuwria6ieckjehk3orpza._file

Verdict:

malicious

RedLineStealer

6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755

RedLineStealer

8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9

RedLineStealer

9186f4166af5ab900f6f1c8a183a09154655ef1b0d0e9a9cf2c1fb2fa90ab87b

RedLineStealer

9465d1ee02521fdd0d1be313df401af7734a858c164e4eae77d6c85398e339eb

RedLineStealer

ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9

RedLineStealer

cb1bfed9b946adbcb897876432268c9bc453b4b489a6df99f5812d5f71b95ea7

RedLineStealer

e302530e680780414528ef634f5e9c258ddcedbca098eb079be321650441b1f8

RedLineStealer

eb41f0d7fa86d49349be3d44f29f71bb3b93091f2894eae69371e0d12310f6b9

RedLineStealer

+ 1'280 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@origkvin botnet:sc18 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230122-h68rqafe83/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

RedLine

Malware Config

C2 Extraction:

176.113.115.7:2883
81.161.229.143:26910

Unpacked files

SH256 hash:

70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2

MD5 hash:

91d5b8ca1d8b499ce35f96daac1de57c

SHA1 hash:

40ecda475b8c4d5db90cd6b3e05026124f3a489c

Link:

https://www.unpac.me/results/933f64a8-8b22-4f27-810c-7984035e6ef1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70a6dfe9850d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/355546/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample