MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714ba1e4369f152990e8a9ec9b2e214a46f18185e8e5f6e6c1f480c277e5c077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 8 File information Comments

SHA256 hash:	714ba1e4369f152990e8a9ec9b2e214a46f18185e8e5f6e6c1f480c277e5c077
SHA3-384 hash:	aaff3971ed386992bb2fb714f5b933184f65aea4dd7337a75cbd2d659b10fce6a2f4885d722400da1efd97303da978f6
SHA1 hash:	ac4be1c62428a774d4c9aeeb3080dcf2ea646240
MD5 hash:	adb6d5ced90e10ca3b293c59265beb15
humanhash:	vegan-twenty-pennsylvania-gee
File name:	adb6d5ced90e10ca3b293c59265beb15
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	267'264 bytes
First seen:	2022-06-04 02:03:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:S35JbOkGnYRFZ13xVQGNFgYFoYg3JWgqh2ELl5Y:S3XOVE1DQGjg/DqkEB5Y
Threatray	10 similar samples on MalwareBazaar
TLSH	T1DF449E45B7EC6D14CBAB8B71E4B524E0A6F19A12749BCB5F300819FD1F563B0EC061AB
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13101/52/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.87.216.121:20385	https://threatfox.abuse.ch/ioc/654658/

Intelligence

File Origin

# of uploads :

# of downloads :

526

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

adb6d5ced90e10ca3b293c59265beb15

Verdict:

Malicious activity

Analysis date:

2022-06-04 02:05:31 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5b54381f-53dc-4f8b-8342-914bab0802a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/276597/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated redline replace.exe virus

Link:

https://www.filescan.io/uploads/629abd9c6a8e6753d222ec03/reports/7936996c-df85-4de7-9ec5-95a442dcc167/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/787f33be-7f9c-4425-8c6e-ade6a77c8f0e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1006585

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Creates multiple autostart registry keys

Detected VMProtect packer

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/714ba1e4369f152990e8a9ec9b2e214a46f18185e8e5f6e6c1f480c277e5c077/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2022-06-03 06:13:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 40 (70.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=off2dzbwt4kstehivhwjwlrbjjdpdamf5ds7nzwb6same57fyb3q._file

Verdict:

malicious

RedLineStealer

3b19fbbeac722577da7aa28ddceed026f37238aac9a1ddd6ee9a6edc1ef45d69

RedLineStealer

3c82afe36f2788acc235a06cff73af72b8c41d88b9b8745d32b9af6bba49847d

RedLineStealer

72c734d9063b759f2cb6e8c812a93133ad0c60a1ae4ec1c40344e357f83b2d0d

RedLineStealer

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

RedLineStealer

d1d1acf2ef77fffa8267a33badd8c6531da9af2e5b8d0a9ddf678c9e27ef700a

RedLineStealer

eb17d6c767eab942cbdea2f4ee08e53207365606d713ede533336b7f6310bab2

RedLineStealer

fe0a87306945b4305e51608c2c2282efe1671dc9e897820fabeccde1277c401c

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer persistence spyware stealer vmprotect

Link:

https://tria.ge/reports/220604-cg9d3adbh9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

RedLine

RedLine Payload

Unpacked files

SH256 hash:

714ba1e4369f152990e8a9ec9b2e214a46f18185e8e5f6e6c1f480c277e5c077

MD5 hash:

adb6d5ced90e10ca3b293c59265beb15

SHA1 hash:

ac4be1c62428a774d4c9aeeb3080dcf2ea646240

Link:

https://www.unpac.me/results/db1a7de4-8093-4494-ace7-00c623cec209/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/714ba1e4369f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/714ba1e4369f152990e8a9ec9b2e214a46f18185e8e5f6e6c1f480c277e5c077

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_EXE_Packed_ConfuserEx_Custom Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Custom; outside of GIT

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_NET_NAME_ConfuserEx Create hunting rule
Author:	Arnim Rupp
Description:	Detects ConfuserEx packed file
Reference:	https://github.com/yck1509/ConfuserEx