MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9
SHA3-384 hash: a50861a7a68893e25087b66942d1078affa0da81a569d1211a58acb51f3ffb55063b9daafd6a35773c0e4b66d0db052b
SHA1 hash: 8980996a8ff96f53eec4098e44145f8eb7cfaf26
MD5 hash: 483dfb5d1e3d6a2da44d470459421a38
humanhash: zebra-avocado-lima-leopard
File name:483dfb5d1e3d6a2da44d470459421a38.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:361'472 bytes
First seen:2021-03-31 12:50:12 UTC
Last seen:2021-03-31 14:36:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 50cc85a4cbdb89118b90829f0ebef814 (2 x RedLineStealer)
ssdeep 6144:657gTlZ5DLPdQTLkgRpHnGe306ULDyabSghpmhQaVPnHZ:6RgTJz6TLkQdny6ULZSW4fn
Threatray 446 similar samples on MalwareBazaar
TLSH 2774DF1133E1C032D0E315364665C7B19EBF7832656AA98FBBD01BB91F247E1E72274A
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
Verdict:
Malicious activity
Analysis date:
2021-03-31 11:26:28 UTC
Tags:
evasion trojan rat asyncrat stealer raccoon loader
Link:
https://app.any.run/tasks/1e9677ec-0618-4a4d-b89f-7845ded14f14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129276/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.63987.29669.24216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/660401
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-31 07:00:08 UTC
AV detection:
16 of 43 (37.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
35aac4dc4ab85c75852a93a573b654f275e6c1dcaae69cc3176c05271a097750
RedLineStealer
7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685
RedLineStealer
807e65fc407c3d9f024b10e8cfb20c2e10ad067aa217fe97ec1b075c24dbc936
RedLineStealer
808be962b671de3c658a363c3ca14ea5181d3669f0a23f0263a175e9416daab5
RedLineStealer
a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b
RedLineStealer
b6255ccb6a0c4843452827ec54f6f041a3285f3042668d1ba4f7593f733d420f
RedLineStealer
bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
RedLineStealer
c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
RedLineStealer
dac8697e24dbe30b33cc0de5ac7584319b134ad59d11aeffdecb861a6868a8a3
RedLineStealer
feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
RedLineStealer
+ 436 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210331-33amgtwf6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
35d0928519d822a69421540d087112a73e9a0c4665f782d9d1d25601928cf78a
MD5 hash:
613aa100d904c2aa88648f844a245d96
SHA1 hash:
19affe5e9b38ab6dd0656f6a73334e95875314c2
Link:
https://www.unpac.me/results/20e502b2-dd57-468c-a67c-daa3961316f6/
SH256 hash:
a6beae88f5ceb8a2ef1b4ab25f144fe179607056605a8c4e831a602033a345ec
MD5 hash:
1a9f9e7e92e9bf4d1245f4b247d76e70
SHA1 hash:
8fe57ce0dfd37af519aa2822189f99b9aaa6290e
Link:
https://www.unpac.me/results/20e502b2-dd57-468c-a67c-daa3961316f6/
SH256 hash:
47569ee098df1373e3b47064bff8389abdf7ddf44e898dc2a17a98f6e4ee6c6d
MD5 hash:
eb4ecf005b7e907dbd5a49090c49ea4b
SHA1 hash:
ec8c991d4cc0c825ee656bf9981dd070f95f1f96
Link:
https://www.unpac.me/results/20e502b2-dd57-468c-a67c-daa3961316f6/
SH256 hash:
763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9
MD5 hash:
483dfb5d1e3d6a2da44d470459421a38
SHA1 hash:
8980996a8ff96f53eec4098e44145f8eb7cfaf26
Link:
https://www.unpac.me/results/20e502b2-dd57-468c-a67c-daa3961316f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099984/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129276/

Comments