MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5
SHA3-384 hash:	6c7b0d231aa641c2f29e7e91204415d0e1ad510f659a977fd830d89d3f1b54ff682508c95c779c64f44e365a034beb7c
SHA1 hash:	17da8aa1d884b04ae2e130660ff09a87183b812f
MD5 hash:	dc808cde87c24e560944b26bb9e2901d
humanhash:	wolfram-island-shade-wolfram
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	388'608 bytes
First seen:	2023-06-16 23:29:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcc5ef716ee1fee9b7ffaf9728383a4d (2 x RedLineStealer, 2 x Tofsee, 2 x Rhadamanthys)
ssdeep	6144:d+m/cGp4CaE/1GnZdUZyAUyHjqSSHbtaYM0RBh:Um/cGpwEdGn3OZOSS7nMI
Threatray	33 similar samples on MalwareBazaar
TLSH	T19F84280392B23C44EA76CF729E2EC6E9361FF5618E59B76D51189B2F04B10B2C763721
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	8888908084c0d004 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://45.9.74.6/2.exe

Intelligence

File Origin

# of uploads :

# of downloads :

504

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-16 23:32:20 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/cf8d82fb-8690-4ab4-8a87-dca3c47efb0e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/399591/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/91093/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/648cf07a153b44fd385a2728/reports/fa6afe91-ac7b-4b02-b670-82ac67a80a0c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb2e6650-8203-4546-910d-f9232e919ffd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1256361

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-06-16 22:35:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=saas33owomrs4re6gn7e3eake5kph2zbca6gfz4zzi2q53v5g72q._file

Verdict:

malicious

RedLineStealer

17b06b8cdf3b99754409988f579971fa396ad1807570143818ef5c0c532dd86d

RedLineStealer

1a6ebcbdbec2e51caa6b76b39a8608fde9ae766e8f937ac128a638763c4ad223

RedLineStealer

36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6

RedLineStealer

3ef6e2d77b69452be6d8101b1bc029570af3af86495111bbca696c92345547a9

RedLineStealer

62a2221333631de6cf65db3fa3e2650947b23f24ea172a3ea998d77baa0cb270

RedLineStealer

e149546242d925d24473153a5e6bafbb3e9a4cb36ba86865dfa465d40617be22

RedLineStealer

ebb2ba69aefa29443238a76949a991384b01e4bb8291cfc5531e233d448cb280

RedLineStealer

+ 23 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@germany discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230616-3g4rpahc49/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.81.68.115:2920

Unpacked files

SH256 hash:

a70f9478f132216be729645ec5d7ba93e8fd09fa75452d631749f5ebb8112a39

MD5 hash:

2ecc13ff8073fbb0c6877a70193694d0

SHA1 hash:

ea63864cc007e1f0212e5f9127ccbaff5c02cbad

Detections:

redline

Link:

https://www.unpac.me/results/8514da2e-4e1f-4739-b01e-e3db60b56d58/

Parent samples :

36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6
62a2221333631de6cf65db3fa3e2650947b23f24ea172a3ea998d77baa0cb270
ebb2ba69aefa29443238a76949a991384b01e4bb8291cfc5531e233d448cb280
1a6ebcbdbec2e51caa6b76b39a8608fde9ae766e8f937ac128a638763c4ad223
3ef6e2d77b69452be6d8101b1bc029570af3af86495111bbca696c92345547a9
e149546242d925d24473153a5e6bafbb3e9a4cb36ba86865dfa465d40617be22
a9140d39d5c4aa1ffe539c431fc95da154a2debbd180e5bdd33978b8a56a4701
60ba317c673641c96c24921d5908169b1eb27ae2aff2e0cb1d5aac43d8e3aa47
21fda73dd761f3a421f9cfbfa0944ac3226ef3e36905de421dd69060fe1a4b7a
8e933b2d90245af4ffffdbc914dcdab6e9167e48ed41715e614546d2b37279f1
3411be33cd514a23e0a799f888ecafdee90ebc724077e078babd340c02b3e444
5a92fbe395867e25c5fe4ae2f61946a3c3a9f141a14e41584939f7715b82ed26
63054e85bcad2319e692c774c253bb74c8b39531f6bc64664e7cd4cd7614b6b0
9e7036fd7a127e55e19ba8e7c277880f1ea2aecd5810620d5d2c37fcf547269c
e4d026295f494f4451cdca57fbeb0bf815b0db6f5b559354128676aac0f5daa3
6e1f1acde46206aeec80aff2847e28c13ba4a968cfc1f2f796039ee2abdd4427
cc8fa35d6827a4227d73c39d758ccec4a55dde4688abe6cad0062e92e133a9da
07109ec0f36d15537a80c566875fcbb482f1057104ed0669bc77489b1b2e3bb7
f19aac41c3f432af709d0597c34fe4c25348043ac622e97d89ded00fdf663a5f
1688dc9d9147e95bacc1b2a5ba0b3f48aafa697e7afa9795d94eddd842184fa7
1a2abfd9f3c9996f30c87609640c70e1cff2e76b15b3deede180ab33a1fb6629
b2ed125f1073843402dca506e06379e0991910cc46c7ca64da83ca45af6609d5
441bb4d4e051b2c79398a8cd8aa996a8694c6ddc8ac8b1442c69c469f4cb74b5
ccb6aef1741c370192d1af595e57ae1ae67c28101b934f1fc7303a5bb778d51c
a2f2bd6394b4d85f2d810724480df9f5d893aa298418a262b859074c4820b84c
f107eeb431a43d7f1f26e3729a58420d2556ec9745e48da5840e3c1218b7aadb
4c313f3f72094ea68a3e98db6778ce4ce9f38d3ba22e3b4b752a7a95679b1b70
1107924f1ace30ed819e1c694e406da31f31ff9250e750011450050e1147eae8
90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5
65befbbadf131fadbdc58f2760b7135a280632d7efd214433e5b9881cd4e54d0

SH256 hash:

3224fc3a642ab6306202c6a95054ed5c5fa4d1eca798b5c3cefcbc0c7d7bee41

MD5 hash:

90292da3cbe7a4baa13f1006f4187722

SHA1 hash:

b3ebac2b1bcb7e65c167eb45de9b0725b8b5798d

Detections:

redline

Link:

https://www.unpac.me/results/8514da2e-4e1f-4739-b01e-e3db60b56d58/

Parent samples :

SH256 hash:

71413391003853f795298f817d5838f38dc538852abf0f7d2601cb20adebc7f4

MD5 hash:

2c6de7a063443e62182b35d5e5f7958a

SHA1 hash:

a0d99c6c3c97fe3fad283d88fc78463e2539ec70

Link:

https://www.unpac.me/results/8514da2e-4e1f-4739-b01e-e3db60b56d58/

SH256 hash:

90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5

MD5 hash:

dc808cde87c24e560944b26bb9e2901d

SHA1 hash:

17da8aa1d884b04ae2e130660ff09a87183b812f

Link:

https://www.unpac.me/results/8514da2e-4e1f-4739-b01e-e3db60b56d58/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/90012dedd673/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/399591/

URLhaus

https://urlhaus.abuse.ch/url/2649818/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample