MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59
SHA3-384 hash: 543d4aaa36cc1d6295b600ee51f6c0b4cebb2d40c3bb37351b1eefd203ac55205b218590e748d102b78b36aa2007a820
SHA1 hash: 26036516885bfe10756156a1975631e39f8bd498
MD5 hash: 68377873ed164ebbd6ae80748a2b137e
humanhash: august-lamp-mirror-pip
File name:68377873ED164EBBD6AE80748A2B137E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:433'080 bytes
First seen:2024-03-01 17:10:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 6144:XE+yclwQKjdn+WPtYVJIoBfqmbP7NZGjIEveYLW6Zv4MP8EPVOQf:XBdlwHRn+WlYV+fmbhZG/nWqvjP8Et
TLSH T19E94F113FAC1C0B2D03216325A69DB62A9BDB4100F268BDF53D54D7DFA251E2A7316E3
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon cc64b4b06464cccc (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.19.208.109:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Malware.Bladabindi-10008357-0
Create hunting rule

Win.Packed.Babar-10012967-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Win.Malware.Zenpak-10017873-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm fingerprint installer lolbin overlay packed redline setupapi sfx shdocvw shell32 stealer
Link:
https://www.filescan.io/uploads/65e20c29ff0555ea5e01248e/reports/4e62dc27-a3ff-415e-ab1a-031ad884955a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bb60ed43-3a09-4cd5-b584-a0d61913519a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1401609
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 21:01:40 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovn664rxfsuqzuswbsr5fmcap7hv6rfc6mpfsttvze7eshpkzjmq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:6077866846 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240301-vqaafaad3s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
https://pastebin.com/raw/NgsUAPya
Unpacked files
SH256 hash:
3c866c1af20805c1e86b4856a27a2600ae10222d04c2506b0c2a4e2090eb9410
MD5 hash:
745f36a99114fb4ae4d654f51fedab38
SHA1 hash:
ea3786016d1213d1b69b12daeba9cefea80df9c0
Detections:
redline
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/97c37d76-e389-409c-8923-08d29db8b44c/
SH256 hash:
f885ea535965581cce9a47ea37815c0e47329488aeff02c10683a9fa10d642fe
MD5 hash:
ddc102ffad24bb4441cfa586e9ffa121
SHA1 hash:
dc56cd9b01f9d727bc0b8a8f9cf9796fe7a4d026
Link:
https://www.unpac.me/results/97c37d76-e389-409c-8923-08d29db8b44c/
SH256 hash:
0c13814659ecbaac5c8ab219b55f103fa167bbd6fb5f0a01e1c3ac107a9ea3bf
MD5 hash:
370777a674f35598cb7c7d22f803e417
SHA1 hash:
72df232b6a9b41406dae59cff06236d2e6d2176b
Link:
https://www.unpac.me/results/97c37d76-e389-409c-8923-08d29db8b44c/
SH256 hash:
755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59
MD5 hash:
68377873ed164ebbd6ae80748a2b137e
SHA1 hash:
26036516885bfe10756156a1975631e39f8bd498
Link:
https://www.unpac.me/results/97c37d76-e389-409c-8923-08d29db8b44c/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/755bef72372c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/755bef72372ca90cd2560ca3d2b0407fcf5f44a2f31e594e75c93e491deaca59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_b1f6f662
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments