MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1
SHA3-384 hash: 87ff4123c64c2ea8ea701d514d53e0922d371d5599f470c83120c2aaef3ef6008edc92c2cee969f019c21eb50f877920
SHA1 hash: 83dbb7f3abd93dc3953573f70b95084b1cf8a166
MD5 hash: 0d0768e7d06d71760554dcaa521d04ab
humanhash: alabama-cardinal-failed-enemy
File name:0d0768e7d06d71760554dcaa521d04ab
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:303'104 bytes
First seen:2021-12-18 01:00:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44c00401a20ce3d35e55418765dd0985 (4 x RedLineStealer, 2 x DanaBot)
ssdeep 6144:lULxcLcFDtK9TnLeEmLs3zHYXq/TenV7NxPek/U3uzbgwuYpB:lUyLcFDtKRnLePLszY6/TenbxPek0unb
Threatray 4'040 similar samples on MalwareBazaar
TLSH T11754F13175ACC532CA931B714C708A91AE3FB86161A0968B6B69172F5E70FCC57F231E
File icon (PE):PE icon
dhash icon 4839b234e8c38c90 (9 x RaccoonStealer, 4 x RedLineStealer, 4 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.8689.1017.27649.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2427/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61bd32984ab5c44cbf47423f/reports/f5be6bdd-4081-41be-9f7c-5a671b7f05ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f85ee93-9d55-4ddf-90cb-66934efe3138
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909394
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 01:00:13 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sppl2l2vmlptmhqn6sdphkr3epvf7jxc5wmgliapvdbmr3gxldyq._file
Verdict:
malicious
Similar samples:
27eeb225876a7859c31bc8b1e8a8bb1782e2302475836b4a4ba127983a7a2b91
RedLineStealer
4af6c10f95107cb0721dc162cc6e3f13ec9fc8e50ab7aba4a3f3a7a40fe36826
RedLineStealer
4ee947c64c25248011ad7d043d257978b1bf9d1c376e7e25a9d332a5e0af8a27
RedLineStealer
6fe38f5b9a96dcd56ee5653030f5fa73fe8653a42ed4a5bf5a12ed916725ab6c
RedLineStealer
a28f90a3f9e95a92d214da6f6e1599ffe38b9481ecd28aa14f8b74160e60c436
RedLineStealer
+ 4'030 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheesewiz discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211218-bcn2wsecg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
104.255.170.150:27148
Unpacked files
SH256 hash:
3d881f5e6ef80f1662ef1f7dbe11884f242f9e6b171b41bd002244086ab0cb91
MD5 hash:
761c534343a640b16590135123dde650
SHA1 hash:
cf7b6d302775e1f740dfd7728f05d648e0a3b235
Link:
https://www.unpac.me/results/c6e72214-edfc-4aad-8b73-b2f2432c6522/
SH256 hash:
da3d0bfb5bfab4b5f8d85ff47496517aeff52010251705bbdd59afef5441f0e7
MD5 hash:
856797c260140fed989a6206a74e3e34
SHA1 hash:
c2ce71d0337ef14d695222f82d135690c04a5366
Link:
https://www.unpac.me/results/c6e72214-edfc-4aad-8b73-b2f2432c6522/
SH256 hash:
f35cf1d64e9290ddaa9bf8555c0eb072a589951947cc9c91aabdec9e26e5de55
MD5 hash:
14caa99c5da3459d182d977544da054a
SHA1 hash:
8a5defc039b1d14c8232e69800514b269cd68fe8
Link:
https://www.unpac.me/results/c6e72214-edfc-4aad-8b73-b2f2432c6522/
SH256 hash:
93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1
MD5 hash:
0d0768e7d06d71760554dcaa521d04ab
SHA1 hash:
83dbb7f3abd93dc3953573f70b95084b1cf8a166
Link:
https://www.unpac.me/results/c6e72214-edfc-4aad-8b73-b2f2432c6522/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/93debd2f5562/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 93debd2f5562df361e0df486f3aa3b23ea5fa6e2ed9865a00fa8c2c8ecd758f1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214914/
  
URLhaus
https://urlhaus.abuse.ch/url/1894642/

Comments


Avatar
zbet commented on 2021-12-18 01:00:04 UTC

url : hxxp://45.159.189.39:8080/1/payload.exe