MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9
SHA3-384 hash: e8e63df3582746274c93eb66108a91644bbfe1ab40b76a3fe3bad1a1aa599fd00317e5c659c12f034ee3a3e2c41f2949
SHA1 hash: 374b2cd428b4692219b2755db90924582e7e4c2e
MD5 hash: 83b444c8b672ee1aaa420ba054d15e38
humanhash: table-mike-north-victor
File name:83b444c8b672ee1aaa420ba054d15e38.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:405'504 bytes
First seen:2021-11-09 10:06:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a24faa9f4919afc00d25c1c4d020aae4 (5 x RaccoonStealer, 3 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:l0J9F303jsK4ku28MtIV0b4lBvFe8H8pBWqpzvuh5:m9F30TH4kuVMtIV0b4lhFe5nJvu
Threatray 2'547 similar samples on MalwareBazaar
TLSH T1A484CF10ABE0C039F6B713F449BA9378B92E79A15B2095CF22E512EE5B356D0EC31357
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.183.32.184:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.183.32.184:80 https://threatfox.abuse.ch/ioc/245195/

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204403/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618a4847a00afa9663a1c8f8/reports/20c393ce-8200-4ef1-a8d2-bf57a5b1c52d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88235c64-92bb-4dde-8afd-fe40cbdc084c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885858
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-11-09 10:07:04 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=owoq7cgsxdtdwk7cr26ifttblsmn63qjhw4ayn32hmrsqtweytuq._file
Verdict:
malicious
Similar samples:
1fe92942ac54caf5ff6cc85935370ae3efde4467e57ddd227e147d9c86318c28
RedLineStealer
23560e3e786a9b44cd1d613451898d496cbe13a0bbb80d516a7125871b5aa48e
RedLineStealer
383f147b7eb4c815bc9def993cff994da41c7395092ceedd3c22d10e130b8c15
RedLineStealer
60595b6c6de942a30a61cb02b27b2dfec3cb76ee4751a68b8d92feefda02f78e
RedLineStealer
68c309ec74f6dd5ec81d2fd23378a84b9d8091ccd28bc8e5f962fabd82e526f8
RedLineStealer
c0d9890c15842c30d526025f7678e09b216020c3dc935b0d4cfa102c7eb9ae2c
RedLineStealer
ec316131d19e352193c7eb590ff34e7079fe94fd0a8bb44b7dff6d9fbabb44b2
RedLineStealer
f1a9eccc2cb1b0572b669b47cb1b29667221529555e554f34d2d13e6e334ceb6
RedLineStealer
+ 2'537 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1132044836 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211109-l5na6sbhgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.183.32.184:80
Unpacked files
SH256 hash:
9c6341b148ac2906f5c468d3932d5df78a8e08065a90a3598f3479aa459efed2
MD5 hash:
e622241b33225aae0481873b413fc903
SHA1 hash:
daf8a3224ba1cf5574f7f0136d1ecbbd12e6eb00
Link:
https://www.unpac.me/results/e8191e42-e31e-4146-91ad-8df24ce3651b/
SH256 hash:
dab99fbee62e856c3f80521da9022887a2ae33d824212b6b8154dd441775d2c2
MD5 hash:
0733742afbdf09682d9a02de47ae699b
SHA1 hash:
6902bcd64f4cba3d0f8eff816ab2a2bbeeb916f8
Link:
https://www.unpac.me/results/e8191e42-e31e-4146-91ad-8df24ce3651b/
SH256 hash:
b530575b72400c2e1234035e06f23b71cbda53c846cf66d13eeffaf5b53fc854
MD5 hash:
dde07eaa7dec57b2b69b3bf17c7bbf97
SHA1 hash:
224b8ef1870a054fe22930aa4fd85334017d35d6
Link:
https://www.unpac.me/results/e8191e42-e31e-4146-91ad-8df24ce3651b/
SH256 hash:
759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9
MD5 hash:
83b444c8b672ee1aaa420ba054d15e38
SHA1 hash:
374b2cd428b4692219b2755db90924582e7e4c2e
Link:
https://www.unpac.me/results/e8191e42-e31e-4146-91ad-8df24ce3651b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 759d0f88d2b8e63b2be28ebc82ce615c98df6e093db80c377a3b23284ec4c4e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1738451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204403/

Comments