MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93c1133925636f66bdd621606e652c5aac0a7f181a05273c8179ac7f6192377c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93c1133925636f66bdd621606e652c5aac0a7f181a05273c8179ac7f6192377c
SHA3-384 hash: 7483f4a33465616fe4ff85821a87a5950b96fc73256e1f414f4115d7bc640987d883fa2e1ac26fa0a67cca9f265effca
SHA1 hash: c9bb22d4bee111bc8dabd29d9e879a685c8d9db6
MD5 hash: 0380f803e734da7722390070d88a5577
humanhash: earth-grey-sierra-moon
File name:0380f803e734da7722390070d88a5577.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:369'869 bytes
First seen:2022-10-01 22:15:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv
Threatray 1'430 similar samples on MalwareBazaar
TLSH T19774639D766072EFC867C876CEA81C64FA60747B930BD203A06316ED994D69BDF140F2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5141494747556d1b (107 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
13.72.81.58:13413

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
13.72.81.58:13413 https://threatfox.abuse.ch/ioc/850803/

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315611/
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a97bbb6d-d056-4079-85d6-b5f6a92e207d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081692
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93c1133925636f66bdd621606e652c5aac0a7f181a05273c8179ac7f6192377c/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 20:51:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
34 of 42 (80.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=spargojfmnxwnpowefqg4zjmlkwau7yydicsopebpgwh6ymsg56a._file
Verdict:
malicious
Similar samples:
3ab5756125ff7acb9af389c86728073679a1cf2b98f9e76bdb97184eb308ab7c
RedLineStealer
49f412c22d9944bbc1948cd41574d0856a12a7884600298ce129d1ffed5bf6dc
RedLineStealer
59e899850342fd8cec14c516dddf3394fe846f043b0959e3daa856969454587f
RedLineStealer
5ab858633f43895ce93b13f2b214d6a0613f983f03c47a5e7e613a890ae2050b
RedLineStealer
884b73f88d5b30892c7cc1e60d8208d8cf14e5d1f2bebc6e58d7ba2ee31a634e
RedLineStealer
c31382b24d3f3ed0cf2873aeb3bc2510ca7869a1ff64a55b48ccf8a7145b9493
RedLineStealer
+ 1'420 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:0002 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221001-16sdvahga9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
13.72.81.58:13413
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa1d38de-8e3a-41ef-941d-bff7790a55a0
Unpacked files
SH256 hash:
fbdbd501bc3274365bbccab817953c9b9992cfe0f0bfa1338a1fa2ac4479edfb
MD5 hash:
2a262fee02f429a83f82f3e4b54c25a4
SHA1 hash:
c068304395047f630ac36aa7008bf2d68ac199c5
Link:
https://www.unpac.me/results/3e3cdaee-8ee4-4901-8faa-6aa0b3f0a385/
SH256 hash:
93c1133925636f66bdd621606e652c5aac0a7f181a05273c8179ac7f6192377c
MD5 hash:
0380f803e734da7722390070d88a5577
SHA1 hash:
c9bb22d4bee111bc8dabd29d9e879a685c8d9db6
Link:
https://www.unpac.me/results/3e3cdaee-8ee4-4901-8faa-6aa0b3f0a385/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93c113392563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93c1133925636f66bdd621606e652c5aac0a7f181a05273c8179ac7f6192377c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315611/

Comments