MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c
SHA3-384 hash: 1e4776287f44740be16a4c0d87523d8e4f945993d8b74192b7b19e2cc53abbd23314e6b26444b442e081e42ccf14b945
SHA1 hash: bf63f8c558227aca1d809fe39c0c8a70754470b5
MD5 hash: 7d4b7d65d467b752ea018b9d1d5c1a60
humanhash: lemon-carbon-five-pizza
File name:7d4b7d65d467b752ea018b9d1d5c1a60.bin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'377'968 bytes
First seen:2023-07-20 13:30:25 UTC
Last seen:2023-07-20 14:31:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da31105089a03ba80334eee13355d2ba (2 x RedLineStealer, 1 x MysticStealer)
ssdeep 24576:HaQmbljQAq/RAVvFKIw2CT9IOgTdV9C6paPFTgHv:HaQyljTqJAVvFKR2CT97gTdV9C6paPF8
Threatray 216 similar samples on MalwareBazaar
TLSH T14E55DFB76C3B058EC1B0233E2CFB790AB6EED2803D55D51F4DAB07C9D1762905AE2499
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.50.153.173:24496

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7d4b7d65d467b752ea018b9d1d5c1a60.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 13:33:05 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/c842e817-9507-4281-a59c-38c9dff2dd35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/426194/
Detection(s):
SecuriteInfo.com.Variant.Jaik.156731.28248.31256.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware masquerade overlay packed
Link:
https://www.filescan.io/uploads/64b937167a9c6ddebf0bde8f/reports/82e7187a-5d92-45c3-9756-a66c56317be8/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkBit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12a5cad0-7138-493c-b9fd-cccdde17a61f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276819
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 13:31:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qswva7ikiy4ao26lx6vodjwvhazu5uaqrjrvwsf4bejsm7hdwmoa._file
Verdict:
malicious
Similar samples:
090c5cbe4133ef686f2c8ad8cc1a835d1be38162a3add01fd4b0a53c5ea8cc85
RedLineStealer
37f4de4ac5d64d68e8c468d06ccc1cee1142894dbd87e63a6a53a3098db6e747
RedLineStealer
39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
RedLineStealer
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a
RedLineStealer
621073c2fd07300a3d202b5801f3c17869f0aa73718033492ac986aafd9a897a
RedLineStealer
c770b3a12fd153340bc59a93c422e133edffbc36f176aaf989311dea77e833d3
RedLineStealer
d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5
RedLineStealer
de806157402fbf33b8ef3e4f2959d06fae95d56ec043acc95932fc70522f41ab
RedLineStealer
e8d4fa5f9b4c34193286dae2a80c38cfe75e57942c9454ee9ca898017eab1d7b
RedLineStealer
fb52d04d3776ae601665d32951258df6743886f9d169ba47a76ce0c6e9646f24
RedLineStealer
+ 206 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:inst discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230720-qsc2wsgg88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
194.50.153.173:24496
Unpacked files
SH256 hash:
90e4eae60401e8eb595a7cf83fb5570d37c7bb22fdb660392a4e965f42e3cac8
MD5 hash:
6a0b4e2c513e475de1062acc9af8ef90
SHA1 hash:
6175a82215574fcca5bf3b5dfd44a399e60c3132
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2d6f0b03-a2c6-4744-8847-76c785b8b7ce/
SH256 hash:
1b2726c9a400ef5097671a48c72da0d46309624db79ea60a6295c784e0c94633
MD5 hash:
f2e685a4296545aacb4f125a50e2dd6c
SHA1 hash:
3e2314e7e15c5cfb8a92012d462053faa722a025
Link:
https://www.unpac.me/results/2d6f0b03-a2c6-4744-8847-76c785b8b7ce/
SH256 hash:
84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c
MD5 hash:
7d4b7d65d467b752ea018b9d1d5c1a60
SHA1 hash:
bf63f8c558227aca1d809fe39c0c8a70754470b5
Link:
https://www.unpac.me/results/2d6f0b03-a2c6-4744-8847-76c785b8b7ce/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84ad507d0a46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84ad507d0a4638076bcbbfaae1a6d538334ed0108a635b48bc0913267ce3b31c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/426194/

Comments