MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60
SHA3-384 hash: d1a420d473ee1a11edf3a5b799a3c7cedcde88ed64f7756bff0b0100c4da46c8543d4e87df826012eaf428e0f61a0d5e
SHA1 hash: 2a01aa30db6473d85aa23289ba53dd1d8d4763e3
MD5 hash: 058008708b231b10585b60c309d69219
humanhash: fanta-north-carbon-wolfram
File name:058008708b231b10585b60c309d69219.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:419'840 bytes
First seen:2021-06-27 15:52:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c55a6c5b8dc5009c74a01bc124b7b217 (2 x RedLineStealer, 1 x CryptBot, 1 x ArkeiStealer)
ssdeep 12288:xu9qLn5d40Q2zeV4FSs8UGIecgq+thpG:Ewd4J2G4FTsIeKi
Threatray 961 similar samples on MalwareBazaar
TLSH 61949D00FB90C035E6F611F84E7AD778A53CBAB2572451CBA2D52EEE57346E0AC3161B
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
058008708b231b10585b60c309d69219.exe
Verdict:
Malicious activity
Analysis date:
2021-06-27 15:59:39 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/d0d0a15b-2d14-4ebe-b78a-1f6bcc7e860f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Glupteba-9874594-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa65e844-8e24-4eb2-9391-cd0a3824c747
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808574
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 14:23:00 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxoihsw5gtyvv6u722cmn6jru5lkt7c6dtl6a2oppbpdbhuujjqa._file
Verdict:
malicious
Similar samples:
0bcf14216198351151d34d3e6ea6c05bf06c62eee05e15804ba132ea455b3710
RedLineStealer
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
RedLineStealer
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
4955fdfd3badd730cd26c71a8804d57a38310b8cd1981397c00db1ea24e14507
RedLineStealer
63d9527d69c228772ebadb63c1e74d7d0702acac52357fcea08ec5a408ca0453
RedLineStealer
9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855
RedLineStealer
b3daa8d8b247d807ed0619e9f246a6769aa8334f61586a2579ea4886ffca05c1
RedLineStealer
b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa
RedLineStealer
b6f7d08666ed5c5309dbd3902783735ee77c1d8ab19e410af5c687488f21557e
RedLineStealer
+ 951 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pudt discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210627-3q3tbl9knj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
Unpacked files
SH256 hash:
d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c
MD5 hash:
cb5fc5dd3ba9fdd7af4b8eecf33f77d5
SHA1 hash:
d2bf6ecc946301c58381a88bf12d74204314b7e8
Link:
https://www.unpac.me/results/0e82c749-390c-439e-8be9-434afc1efb47/
SH256 hash:
a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e
MD5 hash:
651e96a0d52076aa5ed2d82739b5c9b1
SHA1 hash:
b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09
Link:
https://www.unpac.me/results/0e82c749-390c-439e-8be9-434afc1efb47/
SH256 hash:
e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1
MD5 hash:
d73b577cdc3854b7ba4b09f17a84e1db
SHA1 hash:
0b60823181914658cc07e8629fc9b5ddfcdf1fee
Link:
https://www.unpac.me/results/0e82c749-390c-439e-8be9-434afc1efb47/
SH256 hash:
95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60
MD5 hash:
058008708b231b10585b60c309d69219
SHA1 hash:
2a01aa30db6473d85aa23289ba53dd1d8d4763e3
Link:
https://www.unpac.me/results/0e82c749-390c-439e-8be9-434afc1efb47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1394014/
  
Delivery method
Distributed via web download

Comments