MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96b568fed3b229ed6dc7998379df0b4aba3f9d2758b685fc4a9942765228d57b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments 1

SHA256 hash:	96b568fed3b229ed6dc7998379df0b4aba3f9d2758b685fc4a9942765228d57b
SHA3-384 hash:	06d6193d825c7a9daed1bf14e3507242bcc942dce9c1137591e6335b526512c2f32f69cd88652e8dc845838d0f45074e
SHA1 hash:	cc668e96805f55b7233ff5051ff53c8827e4ee87
MD5 hash:	f8a6533ef481723a92839b4dab7b9e89
humanhash:	bacon-grey-oscar-diet
File name:	f8a6533ef481723a92839b4dab7b9e89
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	327'680 bytes
First seen:	2022-06-07 11:18:07 UTC
Last seen:	2022-06-07 12:07:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0eab09b98c18d699716845418f92678c (7 x RedLineStealer, 1 x Cutwail)
ssdeep	6144:NwGIMVKXMdP0ZhrdUXouRtwSupntQalU1MW:eqyZPPuRtwS4tQx2W
Threatray	5'022 similar samples on MalwareBazaar
TLSH	T16664F121B7F0C832E1F3A73044B586512A7BB851A27451CF6BA8176E7F603C19E7A367
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0f0e4e69cf0f060 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

1'305

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

f8a6533ef481723a92839b4dab7b9e89

Verdict:

Malicious activity

Analysis date:

2022-06-07 11:26:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/c0032cf1-3699-4be3-8080-107cc137b048

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277348/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.27803.13515.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed ransomware

Link:

https://www.filescan.io/uploads/629f3466a2b1fc9744d3c029/reports/708d37d2-15f1-471d-946d-8e6a82a827c0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/821089a5-215b-4698-8dc7-25f9919ba474

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1008087

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96b568fed3b229ed6dc7998379df0b4aba3f9d2758b685fc4a9942765228d57b/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-06-07 10:55:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s22wr7wtwiu623ohtgbxtxyljk5d7hjhlc3il7cktfbhmuri2v5q._file

Verdict:

malicious

RedLineStealer

6053a38f2f9b911cb682ae3085cb8d3abd77c4a886a3790f0e66020d16386c30

RedLineStealer

837ffb4801d47f374913ffd47e6ed9830a4bc2377d7a33b5b14007075d04ac0d

RedLineStealer

93ac1dfcdeb6aca6957632ec2478a2baf8f9b71e936102922098a2bc5233a9d0

RedLineStealer

ce79e3c3e7213dcb9ff8147fd9d5f3bb894d51fd397567508e6685b9c89391d0

RedLineStealer

e1940d5d2ccc9a7db9bc4605837262efe7a223942a7cbd9b59506070a04404be

RedLineStealer

f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e

RedLineStealer

fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb

RedLineStealer

+ 5'012 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220607-nevcxadhb5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/99cc698a-2c50-4b89-b0ff-38479793d0cc/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/99cc698a-2c50-4b89-b0ff-38479793d0cc/

SH256 hash:

8938f212bedfaf8b11511975865a15ba06a9b3b53d2c9aa5c295b70ad79dd6f2

MD5 hash:

041ea344f71a48cd5201fc24ce740a61

SHA1 hash:

0008a3f30efa3d96c6a444f4b8f7e395fc2ea237

Link:

https://www.unpac.me/results/99cc698a-2c50-4b89-b0ff-38479793d0cc/

SH256 hash:

96b568fed3b229ed6dc7998379df0b4aba3f9d2758b685fc4a9942765228d57b

MD5 hash:

f8a6533ef481723a92839b4dab7b9e89

SHA1 hash:

cc668e96805f55b7233ff5051ff53c8827e4ee87

Link:

https://www.unpac.me/results/99cc698a-2c50-4b89-b0ff-38479793d0cc/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/96b568fed3b2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/96b568fed3b229ed6dc7998379df0b4aba3f9d2758b685fc4a9942765228d57b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.