MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
SHA3-384 hash:	5644b7ffa6a477a837493582a6f57b2ac8802380bad075ba35b6673b87cdf92c9fd4f2c7dac7acc61ce3d97bc1ab69fe
SHA1 hash:	3d4f74d3524e96c3628c224ce8e2a69702ce55c9
MD5 hash:	263bdc464adc9854f08b5b8d0f030ed2
humanhash:	oscar-solar-missouri-april
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	248'832 bytes
First seen:	2023-07-14 19:49:01 UTC
Last seen:	2023-07-14 22:33:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	40bc36fa70f0816a5b8a662a7b97a051 (3 x RedLineStealer, 1 x Fabookie, 1 x Smoke Loader)
ssdeep	6144:HLoVGI1lPLUc/zrnBisFGohdlpP3ph41rKGfdg:HuG+Q0rnXj/Pe
Threatray	244 similar samples on MalwareBazaar
TLSH	T14F34F1003D90CC76C41791B50CA6C2C1AA3FB4314B7AC98777A8276E6E3D6D29B6E717
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0818140860c0c000 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://95.214.25.232:3004/

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/419667/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95507b88-00ea-451f-89d1-d6a14c932a5d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1273390

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-07-14 19:50:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qtfqlkmnbiypyp5dmeradi2w4w2uacvaq5rnlyjdnhoap537sogq._file

Verdict:

malicious

RedLineStealer

39ff18916d45394e08dd2c2bd297f30671829ea91812af3c2a0a32b73d274e69

RedLineStealer

57641aef77ca6506c2ae922b35261631de04da377750a3494acbf7ca8951ac9b

RedLineStealer

5a6efc81f1a3e1c8266cbacdeaf04ee400dfcc3bc5998c6df13e68ad6f51cdc7

RedLineStealer

6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0

RedLineStealer

ddb5ba02620ff537ab1fa4de5db434bd155fa3cc288d1a7e5c15422b493fdc81

RedLineStealer

e6b5e4a15de0758793c71dd1b8ae4b6362a127148f70e25d8844156f114a86c0

RedLineStealer

f22e976a3cc892e7c21cf6e222d0cf2e0e6c0dc0f7b882c7ac8d365a1e3b4cd1

RedLineStealer

+ 234 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230714-yjne9sgg9w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

147.135.165.22:17748

Unpacked files

SH256 hash:

61b665c9d8c6bb36efbc081af7030d7e718131d9127c78d7c48471b3c49d0b11

MD5 hash:

ef52db00c32eeb6297612393e4b31d27

SHA1 hash:

e3df44ad822b71873567544c7894f91aa19f87b5

Link:

https://www.unpac.me/results/e07ffddd-608c-4601-a007-c3cd288f0f34/

SH256 hash:

e6d5c75e062e590de5bccb3f2d348da93d3369060ac4724a097df9a84bc2906c

MD5 hash:

dee4dac93828efe1377fd597e394bb91

SHA1 hash:

b618a9f382ff66393bd564307d9bd908626555b1

Detections:

redline

Link:

https://www.unpac.me/results/e07ffddd-608c-4601-a007-c3cd288f0f34/

Parent samples :

904dc186be98665e05bbadc41d8e5e6aea449d40027e726c96dc184c15e77c8f
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0
84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026

SH256 hash:

69cdae1909872cf0df31b20fea0b448ea41e51203a664f5f309f5d5e27ee90e3

MD5 hash:

c4e84afb3e6ac5912f3ce8f7c37ce5ff

SHA1 hash:

a553d631ac0142489230feb92cc1cca38596dffc

Detections:

redline

Link:

https://www.unpac.me/results/e07ffddd-608c-4601-a007-c3cd288f0f34/

Parent samples :

SH256 hash:

4746a9777ee10aceaf482c9f7aa48c7e8e688a9f2e105ed40565867736b7db5b

MD5 hash:

baf4c16080b5a398b82067484c3fe88b

SHA1 hash:

5f127ae2c31d9f6b7042f62bf49c3c2720151a56

Link:

https://www.unpac.me/results/e07ffddd-608c-4601-a007-c3cd288f0f34/

SH256 hash:

84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d

MD5 hash:

263bdc464adc9854f08b5b8d0f030ed2

SHA1 hash:

3d4f74d3524e96c3628c224ce8e2a69702ce55c9

Link:

https://www.unpac.me/results/e07ffddd-608c-4601-a007-c3cd288f0f34/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/84cb05a98d0a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/