MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519
SHA3-384 hash: c7cba9fee22ff85f5b2897fb617fa86ac121711de46c7014e55be46684ff229cf151b51fef78fe25997a0d994f9451f4
SHA1 hash: 4f8eb2e0ebdc99877f5d63736d364d619237463c
MD5 hash: 8897ed2c3086f8409338fff70f343a2e
humanhash: delaware-quebec-whiskey-virginia
File name:8897ed2c3086f8409338fff70f343a2e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:283'648 bytes
First seen:2021-08-14 06:55:29 UTC
Last seen:2021-08-14 07:57:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d1727cc76cb77410e59de4eb81f68a0b (12 x RaccoonStealer, 3 x RedLineStealer, 1 x Bandook)
ssdeep 6144:ILhvESqIxElovjWP9zzxnZtcDfKtJOROPRQCi:ItOIxJvylWfKzOi3i
Threatray 4'486 similar samples on MalwareBazaar
TLSH T1AA54DFE27583C83EC096D5F148249ABA5B79BC215A54014FA6543F2E2E332E347FE3D6
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179173/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.2118.15811.22603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88b30d81-dc1d-40d7-aa60-ba7044bb8ddb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832808
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 02:04:53 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
5f813f5fd0f6245500bda8b4df4649810ae1c51bb07ee10e12d19388adab1fb4
RedLineStealer
6ad1cf3b42e1c571f6a7a402ad29e289ea119a6929345660a98e2786a3ddace4
RedLineStealer
81a962862c3c796af1b94b1674698aa15a3c0f4abcb86e0ac23a810c4d4fc0e9
RedLineStealer
8498f560c45b7d2db3427aaf5a481a4e584a1aa8f59767147e895b60e08286cf
RedLineStealer
bc7c170e671f4a5163fa83b2409ef287ba57debb2c3e6f5b8fef916e3d5a531b
RedLineStealer
ebfe4a01a842ddcf434e44a288773454c4c5c35602a5fba3a31e47ff010a1314
RedLineStealer
+ 4'476 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210814-qg1kh9v4ea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.114:8887
Unpacked files
SH256 hash:
896327f3b8ffb0108da0ba4bb4177ecf34b2b537c70ba775f3b8d05f7337e480
MD5 hash:
9ef3832f3b00631ed09c7931e494e3e5
SHA1 hash:
bffc8ce4c382f443820d1d089db72c267090bb3d
Link:
https://www.unpac.me/results/8d93995d-623e-41f0-87a5-142446d65554/
SH256 hash:
5a9bcd47b183892a42b3b68a53e442a93c0bb016fb94abbd8d42b6477e982194
MD5 hash:
9d700a739ff25fd446ab24994185abd7
SHA1 hash:
73eaeff4f6ec5d342f9c5ccf045eab616281d7d0
Link:
https://www.unpac.me/results/8d93995d-623e-41f0-87a5-142446d65554/
SH256 hash:
98a398c51f219ad1ad34f1190a276355212cd4228797708ee2fae4c43b1186cf
MD5 hash:
8cf1348cb3c4ea66ef1664c23478b56c
SHA1 hash:
5e79ef8bfed82f2713b589c7cd24b2e241b2a16d
Link:
https://www.unpac.me/results/8d93995d-623e-41f0-87a5-142446d65554/
SH256 hash:
93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519
MD5 hash:
8897ed2c3086f8409338fff70f343a2e
SHA1 hash:
4f8eb2e0ebdc99877f5d63736d364d619237463c
Link:
https://www.unpac.me/results/8d93995d-623e-41f0-87a5-142446d65554/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/93b6aef41250/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 93b6aef41250212d3022cf0a758578ead2f42ccd5beeef6e5e2a2af067d5f519

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1525092/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179173/

Comments