MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
SHA3-384 hash: 9f959f92c99ffb833b474cf6dfd6068415bdf22fcd8dfcb9fbfa1d4e76974dc87349508d7f13db922f83a0aee8263058
SHA1 hash: acc545bf4929aeb6a3ea4bb7efc679dea4400059
MD5 hash: 6ecb32fe0a776fe3b4db33e7afb17b1c
humanhash: april-december-iowa-vegan
File name:6ecb32fe0a776fe3b4db33e7afb17b1c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:349'696 bytes
First seen:2022-12-25 12:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b9daca6da068f54ad4e1900288e8efd (6 x Smoke Loader, 4 x RedLineStealer, 2 x Amadey)
ssdeep 6144:oLARTwjw4+lFhtqnXBykiHHimXp3WCLaratkJRXX4KDJ/plyGymI:oOYWkiHH93vJtkJ57DVpYm
Threatray 12'579 similar samples on MalwareBazaar
TLSH T19A74E0207690CC22CAD249755D2BDBA82F3B7C618B6359F726086E5F7E302B17967307
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eaee (119 x Smoke Loader, 44 x Amadey, 41 x Tofsee)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6ecb32fe0a776fe3b4db33e7afb17b1c
Verdict:
Malicious activity
Analysis date:
2022-12-25 12:43:17 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/752442cd-80ca-4c95-93bb-332465381490

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL-18.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63a844e1a5802d05b3ded88a/reports/4a279b5e-d0dc-4642-bef6-4db2f75b6e6d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cce5812f-5a16-41b7-97d3-8685085ea895
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140829
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 12:41:09 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdtycy5m2oyuzsb44aoiveqdenwp3yg63peyewp7t2elemeyfmza._file
Verdict:
malicious
Similar samples:
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
RedLineStealer
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
RedLineStealer
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
RedLineStealer
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
RedLineStealer
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
RedLineStealer
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
RedLineStealer
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
RedLineStealer
+ 12'569 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:shakur discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-pwrh1sef5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
10d89dc018c4f68c4de429d05553643fe51c13ead82dd5ffe77ca6ce3da0bb04
MD5 hash:
57e2dc37dcb1345f2eb161a54cec3e83
SHA1 hash:
f32b2dc4905b6f0bf9bf28376b58773ca6c79852
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ebf27bd2-a190-43eb-b6c8-56d930106620/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
05eec1edd8275b5826ba33d3a0972036ab3ebf1498b60db3caaf5680adeddef4
MD5 hash:
9502ded7672e6f0355333a2740b54da0
SHA1 hash:
39e1855154819ddf048ebfc7ead1a071392ac0b4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ebf27bd2-a190-43eb-b6c8-56d930106620/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
SH256 hash:
cd762a88c2abde591ec9d8a08b0d5d294d942a28085c88b47711e3650560a855
MD5 hash:
b32321503e273118774201c42a5b185f
SHA1 hash:
1d08f10d5f775a53a4b6d8f6a5547af1a279a002
Link:
https://www.unpac.me/results/ebf27bd2-a190-43eb-b6c8-56d930106620/
SH256 hash:
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
MD5 hash:
6ecb32fe0a776fe3b4db33e7afb17b1c
SHA1 hash:
acc545bf4929aeb6a3ea4bb7efc679dea4400059
Link:
https://www.unpac.me/results/ebf27bd2-a190-43eb-b6c8-56d930106620/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80e78163acd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2486082/
  
URLhaus
https://urlhaus.abuse.ch/url/2485583/

Comments


Avatar
zbet commented on 2022-12-25 12:40:33 UTC

url : hxxp://62.204.41.165/most/slova.exe