MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971
SHA3-384 hash:	76e7fa6bc1137020918c9891920e90f86d9a99ab5c48af8b42f8bff7db82da8d5a81b55e9489eee16b5662a61c534fe0
SHA1 hash:	55b238276d47601b6c61783ab43d2c45417da96d
MD5 hash:	f28f8b036b37dfc95420fa4678ce7b96
humanhash:	low-alpha-video-autumn
File name:	f28f8b036b37dfc95420fa4678ce7b96.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	311'808 bytes
First seen:	2023-02-07 18:00:36 UTC
Last seen:	2023-02-07 19:44:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87e1f4e32d01d5a52e605f27fd138118 (6 x RedLineStealer, 5 x Smoke Loader, 3 x RecordBreaker)
ssdeep	6144:brXPKbLqv3uYfWUm8+uBCyTKUlZ/CU3GiRU:brXPKbuvL+Um8ZjKsxB
Threatray	16'353 similar samples on MalwareBazaar
TLSH	T10A64F1323AC3C0B2F96651305C30EA65ABEEB53155B4CA57FB5807AE9F302D1873A356
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	916a6e6a6a6a6e60 (6 x Smoke Loader, 6 x RedLineStealer, 3 x Tofsee)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.20.7:4131

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

f28f8b036b37dfc95420fa4678ce7b96.exe

Verdict:

Malicious activity

Analysis date:

2023-02-07 18:01:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7f64eb27-8018-4298-8825-13721cfb2609

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/361515/

Detection(s):

SecuriteInfo.com.Heur.Pack.Emotet.7.9637.27317.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet greyware packed

Link:

https://www.filescan.io/uploads/63e291de447edb203a031bde/reports/d253444d-2e85-4e00-bacf-c29e4c0d3da8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0278711-95a2-4b47-9355-01ec1711bbee

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1167976

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971/

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2023-02-07 18:01:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=szmrydhj3s6ssalluviw4xodnlqzmrvesjthx5dmavrjwqquxfyq._file

Verdict:

malicious

RedLineStealer

0e5a2fe272129c522049bdd7a506d754826d8342ea7cfe1c1a3c23c81a2d17e4

RedLineStealer

5f7e979a53d8b78267258ee24d9ce34952da71f19f83e2086fda274464bebb74

RedLineStealer

670ebc347dd7d79c1736cec1f2e8e517dfab7227f14dabbecbd7eda139642175

RedLineStealer

77f19ea2e98aa20589c1196037c0ec3bcb2936b4c1e53fd89c1a22697c8d31c6

RedLineStealer

7b4ae35ac3c70bcf6f9a7367e92b448a8e4f76368c9eb4ffebc53891d77c20a4

RedLineStealer

7becab35b4300ad3c0be8e7dc12f311b140cb8a7b5338e0102fcf6f71c97157d

RedLineStealer

c7f6ca85876a416debb5494c6cb9a5efcb865c7b0cd04030ce31a22ce78c42a0

RedLineStealer

c9df15c0e5c17d79b64b4075b6b5f8d44f66f50744c138e6c95bd55097218c11

RedLineStealer

d59d55ca65f1982ccae31dfd0b9d4910a33adcb209144ec41c7f928c14221eb2

RedLineStealer

+ 16'343 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:roma discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230207-wlvw1sgc61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.20.7:4131

Unpacked files

SH256 hash:

13c9dfd749c400cb475d5f7e2251dccf192d0416f27cd23ea247a6bbd8447058

MD5 hash:

ca3d81b27410bb909e51d30e0ac93e45

SHA1 hash:

6ffa0e1d5e3479190fb2e42a6cbae404f8c427fd

Detections:

redline

Link:

https://www.unpac.me/results/0e84868d-891a-4a4d-beea-9d08621af2cb/

Parent samples :

0e5a2fe272129c522049bdd7a506d754826d8342ea7cfe1c1a3c23c81a2d17e4
5f7e979a53d8b78267258ee24d9ce34952da71f19f83e2086fda274464bebb74
c7f6ca85876a416debb5494c6cb9a5efcb865c7b0cd04030ce31a22ce78c42a0
96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971
b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

SH256 hash:

86f61aee28ccdae81bb29e7de7dbf4652e4e52ac1463acb682e74c9e8f4acd91

MD5 hash:

07e51dc10fe3afdc6f124a06d825e8d4

SHA1 hash:

2b8b552b1fea7328a09b9cbb0cec73734d9f72a3

Link:

https://www.unpac.me/results/0e84868d-891a-4a4d-beea-9d08621af2cb/

SH256 hash:

edf0e97bcbb37645bca74158112515a62ebbfe82e212f21eff73b90c8f8c978c

MD5 hash:

a66511a96e5adcdedc0ce7f091b2e989

SHA1 hash:

237af06444ccea53c1737ef6c8de8d188ad1a8b7

Detections:

redline

Link:

https://www.unpac.me/results/0e84868d-891a-4a4d-beea-9d08621af2cb/

Parent samples :

48aff3ca7986edc6be811d56c88492f23dc3eeb8eeb10502a78500dc797e1bcc
d59d55ca65f1982ccae31dfd0b9d4910a33adcb209144ec41c7f928c14221eb2
d5abe1bf7cc6986a8a6784afcf8013cd75c3963765ee576c19799b0d4916f826
0e5a2fe272129c522049bdd7a506d754826d8342ea7cfe1c1a3c23c81a2d17e4
5f7e979a53d8b78267258ee24d9ce34952da71f19f83e2086fda274464bebb74
01a09f4a93941e4d0d1afabb4f49f7aa1b9f91cc202cc1d7eba5ca52ebecd317
77f19ea2e98aa20589c1196037c0ec3bcb2936b4c1e53fd89c1a22697c8d31c6
c9df15c0e5c17d79b64b4075b6b5f8d44f66f50744c138e6c95bd55097218c11
670ebc347dd7d79c1736cec1f2e8e517dfab7227f14dabbecbd7eda139642175
7b4ae35ac3c70bcf6f9a7367e92b448a8e4f76368c9eb4ffebc53891d77c20a4
c7f6ca85876a416debb5494c6cb9a5efcb865c7b0cd04030ce31a22ce78c42a0
96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971
621606f23b6d2a7e300cc4785f35fe8235b60604fb2c988470bf8971b57360e2
b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

SH256 hash:

96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971

MD5 hash:

f28f8b036b37dfc95420fa4678ce7b96

SHA1 hash:

55b238276d47601b6c61783ab43d2c45417da96d

Link:

https://www.unpac.me/results/0e84868d-891a-4a4d-beea-9d08621af2cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2532610/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/361515/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample