MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA3-384 hash: f3cd8f6bb846f1f05f167e98b5f278fd1fa595162ae912207a015ee143b9b39bbc68b5d2e6a48503b16d2fcd40d54998
SHA1 hash: e469267b65d3aacb2fe5074fd2a54485fab00ef0
MD5 hash: d1c4c493c171000d21ae122bc5d819ba
humanhash: missouri-wisconsin-minnesota-california
File name:d1c4c493c171000d21ae122bc5d819ba.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'352 bytes
First seen:2023-07-23 18:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ce2e56297aa247080650722507bc95b (5 x RedLineStealer, 1 x Amadey)
ssdeep 6144:WjyPvs2E0U8it8O/Jm5okFKpARs+fLycNVjD2jB:2yXfE0UxegaEAuSL/jC
Threatray 173 similar samples on MalwareBazaar
TLSH T17074E022B6E0C032E46356300975C2B16F6BBC726B74518F77A82B7A6E306D16F79347
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0dec8d1c8d2dd (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
149.202.8.114:26642

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d1c4c493c171000d21ae122bc5d819ba.exe
Verdict:
Malicious activity
Analysis date:
2023-07-23 18:17:34 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/e5d121df-5965-4f9f-85b6-ed5522eb1dd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430067/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.31858.15986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab92081a-b1c5-4be7-bb6f-81d7eda794c9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277921
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277921 Sample: vhQgySRol1.exe Startdate: 23/07/2023 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 9 other signatures 2->90 9 vhQgySRol1.exe 15 7 2->9         started        14 MTA1.exe 2->14         started        16 AppLaunch.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 66 149.202.8.114, 26642, 49690 OVHFR France 9->66 68 transfer.sh 144.76.136.153, 443, 49691, 49692 HETZNER-ASDE Germany 9->68 70 192.168.2.1 unknown unknown 9->70 56 C:\Users\user\AppData\Local\Temp\cl.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\vhQgySRol1.exe.log, ASCII 9->60 dropped 102 Detected unpacking (changes PE section rights) 9->102 104 Detected unpacking (overwrites its own PE header) 9->104 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->106 108 2 other signatures 9->108 20 cl.exe 1 9->20         started        23 cc.exe 14 68 9->23         started        file5 signatures6 process7 dnsIp8 92 Writes to foreign memory regions 20->92 94 Allocates memory in foreign processes 20->94 96 Injects a PE file into a foreign processes 20->96 26 AppLaunch.exe 2 26 20->26         started        31 WerFault.exe 24 9 20->31         started        33 conhost.exe 20->33         started        64 127.0.0.1 unknown unknown 23->64 98 Machine Learning detection for dropped file 23->98 100 Tries to harvest and steal browser information (history, passwords, etc) 23->100 35 chrome.exe 23->35         started        signatures9 process10 dnsIp11 72 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 26->72 74 185.159.129.168, 80 ITOS-ASRU Russian Federation 26->74 76 4 other IPs or domains 26->76 62 C:\ProgramData\...\MTA1.exe, PE32 26->62 dropped 110 Suspicious powershell command line found 26->110 112 Creates an autostart registry key pointing to binary in C:\Windows 26->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 26->114 116 Adds a directory exclusion to Windows Defender 26->116 37 powershell.exe 26->37         started        39 schtasks.exe 26->39         started        41 powershell.exe 26->41         started        43 schtasks.exe 26->43         started        45 chrome.exe 35->45         started        file12 signatures13 process14 dnsIp15 48 conhost.exe 37->48         started        50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        78 www.google.com 172.217.168.4, 443, 49712, 49713 GOOGLEUS United States 45->78 80 play.google.com 172.217.168.46, 443, 49718 GOOGLEUS United States 45->80 82 2 other IPs or domains 45->82 process16
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 18:16:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2xcbtvitkwcmxcuapq42dt3vk4pebpk5v5er4mz7bvuacovpx2q._file
Verdict:
malicious
Similar samples:
02faea4481281e7d6e4bd48f06e969b6a9854d4746525af6ccae7a9748b49b95
RedLineStealer
1e34106fd70c84ab8a1a0b27425e2f6d53500fc48bbdc5b02041fb3459721473
RedLineStealer
2a5de2e7ec1dcc3e5b3c1a702b2efd8a60f928dfd641f152212647ed0c067218
RedLineStealer
39ff18916d45394e08dd2c2bd297f30671829ea91812af3c2a0a32b73d274e69
RedLineStealer
57641aef77ca6506c2ae922b35261631de04da377750a3494acbf7ca8951ac9b
RedLineStealer
5a6efc81f1a3e1c8266cbacdeaf04ee400dfcc3bc5998c6df13e68ad6f51cdc7
RedLineStealer
642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa
RedLineStealer
e6b5e4a15de0758793c71dd1b8ae4b6362a127148f70e25d8844156f114a86c0
RedLineStealer
f22e976a3cc892e7c21cf6e222d0cf2e0e6c0dc0f7b882c7ac8d365a1e3b4cd1
RedLineStealer
+ 163 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230723-wwfj3sgc3v/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
149.202.8.114:26642
Unpacked files
SH256 hash:
1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e
MD5 hash:
5b9e910f14c9664c591d075ccfdda0c3
SHA1 hash:
dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/05507e97-04a6-4672-b671-b3390dc8c10c/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977
MD5 hash:
1170152a8e1dc3e4b9c38d8146362e81
SHA1 hash:
d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/05507e97-04a6-4672-b671-b3390dc8c10c/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e
MD5 hash:
b9ac7ada76639bf533b86fc0ae86597c
SHA1 hash:
74ce4a5df518a85c44d5d51fd3213fd6da36940d
Link:
https://www.unpac.me/results/05507e97-04a6-4672-b671-b3390dc8c10c/
SH256 hash:
ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9
MD5 hash:
3c81ebdb4f2dc1f98485343dfeaedce5
SHA1 hash:
0ce97f6e8d3cdac8b68329d57b4d16873d6ed167
Link:
https://www.unpac.me/results/05507e97-04a6-4672-b671-b3390dc8c10c/
SH256 hash:
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
MD5 hash:
d1c4c493c171000d21ae122bc5d819ba
SHA1 hash:
e469267b65d3aacb2fe5074fd2a54485fab00ef0
Link:
https://www.unpac.me/results/05507e97-04a6-4672-b671-b3390dc8c10c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76ae20cea89a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/430067/

Comments