MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 16
| SHA256 hash: | 861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66 |
|---|---|
| SHA3-384 hash: | ce255db5db15b5a4078ff16604294a66e8e43b2696192274d638ae1b818bf4d8a61d5dddc8df14d1aa6cffb618bf0115 |
| SHA1 hash: | 609e3ab6fbde6b906a91e40b50da377d9bd4e5ae |
| MD5 hash: | 47416d7f4a5624181edd47e0bd9821e3 |
| humanhash: | hawaii-table-ohio-queen |
| File name: | 47416d7f4a5624181edd47e0bd9821e3 |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 4'539'392 bytes |
| First seen: | 2023-07-22 06:56:25 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | fbaa33c2c1f9ffecc1bcbd6a9ad09a45 (1 x RedLineStealer) |
| ssdeep | 49152:FajBnYYC4aYkARMmsxyW3qTqfbthg1v5o62W+X02W+X8X:FyBnZC4aYkoMmW3sqf3Wh |
| Threatray | 2'087 similar samples on MalwareBazaar |
| TLSH | T1032612C57EC46771CB97FE310046813D9064683600478AD33AB6DA85B798E8F27E7FA9 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe RedLineStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
287
Origin country :
FRVendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
1e6d0394a9335f03d83a7f498df12ec8.exe
Verdict:
Malicious activity
Analysis date:
2023-07-21 14:11:49 UTC
Tags:
rat redline amadey trojan loader stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
greyware packed
Verdict:
Malicious
Labled as:
Trojan.Heur2.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Verdict:
Malicious
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.RedLine
Status:
Malicious
First seen:
2023-07-21 13:21:31 UTC
File Type:
PE (Exe)
AV detection:
21 of 25 (84.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 2'077 additional samples on MalwareBazaar
Result
Malware family:
redline
Score:
10/10
Tags:
family:redline botnet:@ytlogsbot botnet:lux3 discovery infostealer spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
176.123.9.142:14845
176.123.9.85:16482
176.123.9.85:16482
Unpacked files
SH256 hash:
318fb81812de16e80a2cfc90895004cb03530e49d62d360915661fcacc390da9
MD5 hash:
c663260681134d0f6811806093ec7f8c
SHA1 hash:
9643578b145e79481e35411ee4eb3a5baf30f8d6
SH256 hash:
0c3ba1ed7210694ecbac0028c6ecc8508e80667ef336c321ba3e1ade510371b6
MD5 hash:
7d4a62d54c733ef9752232e3334c2eee
SHA1 hash:
db0520a08226dc0ab4fd879fd6690c32c816a927
Detections:
redline
Parent samples :
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
7b3a28bfe1eb241dd539336313198a6684bcbef1905349b8b0859de555bdf3dc
8de352c1bca0c712c63f4ca6fcc6f725f1cfbb462d39489258ea8478787bb669
2b82e968c7dc0b4726acb9ead06092a059fbf34e9068532ad1151c479e5b331d
4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
854929dccfca0bc24198bb737a81a8d74b2bc924049167b8ed6ad8e96a75610b
0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
b08a80b3d8ed960304fd66086b3c2cf13745118e04d6db99f9b0ff68b869b4cf
0c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
51f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
7b3a28bfe1eb241dd539336313198a6684bcbef1905349b8b0859de555bdf3dc
8de352c1bca0c712c63f4ca6fcc6f725f1cfbb462d39489258ea8478787bb669
2b82e968c7dc0b4726acb9ead06092a059fbf34e9068532ad1151c479e5b331d
4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
854929dccfca0bc24198bb737a81a8d74b2bc924049167b8ed6ad8e96a75610b
0182e73c39240c0e660bbdd4262209f08d767562d4794b7ed5e36a4d4f36b409
b08a80b3d8ed960304fd66086b3c2cf13745118e04d6db99f9b0ff68b869b4cf
0c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
51f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2
SH256 hash:
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
MD5 hash:
dc0d6257af6ac44eb10333a282b0f738
SHA1 hash:
a749e2c90b313174a91a6e51db6bc8e6dc00f37e
Detections:
redline
Parent samples :
030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9
fd31a663216bfb8143db8ea956edda60157228e4e26abd15724d28e34f435c66
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
fd31a663216bfb8143db8ea956edda60157228e4e26abd15724d28e34f435c66
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
SH256 hash:
960649ef90d8f090e9c9ea10c319eb178709811c62a845318989f1ae6da834c5
MD5 hash:
bb3ba37ce860bab966f7e189b4afd030
SHA1 hash:
5afe199166be0808968167dd130d174d435f35b2
SH256 hash:
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
MD5 hash:
936cb3023cd500e07e9ad5dda9996c3f
SHA1 hash:
5772bd98e8da65cb1339e45074b0a6eaf07219a6
Detections:
redline
Parent samples :
d8244ef0cb7ee70181f80484cff739b6f1458a2e9f2836ad00f445c3b863ba25
c4d252efb23f087a2c2efdb8bc64b97a9976c0f85995a50e18791f4538fac454
4a9c93e088da7f15b571b3595624ae59f112d3f532c8265178d4cc71f7ddd8b6
2d873fb5e5df1ecafccb3eeaa6dc1835676d7f43938ff37a623285a086d6208d
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
3c979ae1af88397dc5be34fea28050d85cd283898d71e52c8ad1db05c407458b
b6f77ab64fad140fa89c1ce71cff87397de1e28bfa747690ddb5b28a7e46f461
12e2b32428e957fdb6bc42d0e99a84a2a4e9dde411b356a0ff45bf6b66dd9d33
705dae41f74ff7fa9f5d4474d3474422d69e20bdebb9c36c020978de8ce48368
625423357c26d7445624d49b25dd0debe94b586f08cb2afb746d1498207477a5
67b9b74f647846d67ef5be1e4aba44e74cc62e9e401ca9f8e5bb695daa15e611
31b8115712aa50566e40a5246b9415adb02bb49679ddee79e427869c607838cb
277a999bab7bdb1a609efaf82a6c33a871c8c5334cec9c48241878d060540136
3a054bcc44b57c0cc62512768e7cfe21159d0530d775ae7d04c5b4eeea17c117
b7cb338abb490b1cc110d044049d5b5402bdaf411989d84bd739b7fd6974571f
824802b8de1d5007ebfd0449d1131ef31aec0b5f84fc39fe721fecb9b116007f
d1e74b5540f6ee93076ebff16db8593decd2364f4a4465d4ef7f4087f7c8119c
0017cc9e58298216af63de0f6bbb0a4a369d4b96a5dc52f6f25d47867a1ca346
665a12c39806edc87811291d7c054ccd07ada0f7da775cf90b6473b2a4457586
b106631de5708f0c7db74edc5956c0b438759a051a4624664124b76ee2f29356
fc412bb40a7d2ca18ec93170fb61b7e8db762db7415592f19bc367402f6d550e
73482d57d8d95b8f24345ab5a962a845f0b05f455ce4037a716df4ae2ff275c0
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
c4d252efb23f087a2c2efdb8bc64b97a9976c0f85995a50e18791f4538fac454
4a9c93e088da7f15b571b3595624ae59f112d3f532c8265178d4cc71f7ddd8b6
2d873fb5e5df1ecafccb3eeaa6dc1835676d7f43938ff37a623285a086d6208d
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
3c979ae1af88397dc5be34fea28050d85cd283898d71e52c8ad1db05c407458b
b6f77ab64fad140fa89c1ce71cff87397de1e28bfa747690ddb5b28a7e46f461
12e2b32428e957fdb6bc42d0e99a84a2a4e9dde411b356a0ff45bf6b66dd9d33
705dae41f74ff7fa9f5d4474d3474422d69e20bdebb9c36c020978de8ce48368
625423357c26d7445624d49b25dd0debe94b586f08cb2afb746d1498207477a5
67b9b74f647846d67ef5be1e4aba44e74cc62e9e401ca9f8e5bb695daa15e611
31b8115712aa50566e40a5246b9415adb02bb49679ddee79e427869c607838cb
277a999bab7bdb1a609efaf82a6c33a871c8c5334cec9c48241878d060540136
3a054bcc44b57c0cc62512768e7cfe21159d0530d775ae7d04c5b4eeea17c117
b7cb338abb490b1cc110d044049d5b5402bdaf411989d84bd739b7fd6974571f
824802b8de1d5007ebfd0449d1131ef31aec0b5f84fc39fe721fecb9b116007f
d1e74b5540f6ee93076ebff16db8593decd2364f4a4465d4ef7f4087f7c8119c
0017cc9e58298216af63de0f6bbb0a4a369d4b96a5dc52f6f25d47867a1ca346
665a12c39806edc87811291d7c054ccd07ada0f7da775cf90b6473b2a4457586
b106631de5708f0c7db74edc5956c0b438759a051a4624664124b76ee2f29356
fc412bb40a7d2ca18ec93170fb61b7e8db762db7415592f19bc367402f6d550e
73482d57d8d95b8f24345ab5a962a845f0b05f455ce4037a716df4ae2ff275c0
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1
SH256 hash:
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
MD5 hash:
47416d7f4a5624181edd47e0bd9821e3
SHA1 hash:
609e3ab6fbde6b906a91e40b50da377d9bd4e5ae
Malware family:
RedLine.E
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | detect_Redline_Stealer_V2 |
|---|---|
| Author: | Varp0s |
| Rule name: | INDICATOR_EXE_Packed_ConfuserEx |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ConfuserEx Mod |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
| Rule name: | pe_imphash |
|---|
| Rule name: | redline_stealer_1 |
|---|---|
| Author: | Nikolaos 'n0t' Totosis |
| Description: | RedLine Stealer Payload |
| Rule name: | redline_stealer_2 |
|---|---|
| Author: | Nikolaos 'n0t' Totosis |
| Description: | RedLine Stealer Payload |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Win32_Trojan_RedLineStealer |
|---|---|
| Author: | Netskope Threat Labs |
| Description: | Identifies RedLine Stealer samples |
| Reference: | deb95cae4ba26dfba536402318154405 |
| Rule name: | Windows_Trojan_RedLineStealer_3d9371fd |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://87.121.47.63/lend/owc.exe