MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
SHA3-384 hash: 4b2629c133ccd1762b84ba5e9e88104ee1a21d61bcd7e4c3e4ed3fad11b1f0b2d835ab09c74a087dffa9c706c0d2d9ee
SHA1 hash: cf8b763bd96df2730a15962a329e0acbd8ec72ec
MD5 hash: 792c71d5b41dc84e43dab64f1814c025
humanhash: vermont-lion-timing-carbon
File name:792c71d5b41dc84e43dab64f1814c025.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:284'672 bytes
First seen:2023-02-18 08:11:24 UTC
Last seen:2023-02-18 09:34:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1189c0a2ecbe8fd35560b095ffebf6bd (6 x RedLineStealer, 2 x TeamBot, 1 x RecordBreaker)
ssdeep 6144:x0ie/VCXhdr1ypZNVc7d9NTQQ9BYieerPwY+qOdIQJbWgqQOa:x0XNQdr1/NTQQsSPkqqVJbWnQ
Threatray 5'899 similar samples on MalwareBazaar
TLSH T1E054012236D280B2C0A755345670E2A47EBFB4318978D6CF3768267E5E707C27B39366
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000081422084800 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.17:4139

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-18 00:31:15 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/6e830a11-b04d-4290-8cd6-f2a7c3f41233

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/367930/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65556353.8475.18099.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63f0885b82c5a04097f86eef/reports/01193467-b982-4218-8d9d-cd42ed9cd512/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9bbf6792-bb97-4c91-9568-ba9e5fbd2f42
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178406
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2023-02-18 00:27:16 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5umwpfrhcy5jjouj6gxu4tmvuhqa3qzhgve6rdcbvc4mcutievq._file
Verdict:
malicious
Similar samples:
3a33afc3b70224236136b758367745f98be78ad47f9dc62a8f61a0a5da749e22
RedLineStealer
3baa60570d3b29c6ad081cf1cf3c87b3a2d6f0a8c0218acb72d03aa1042b26f3
RedLineStealer
621ccf691f7df273e47ac3ddb553a7683c52745f9e0a499c347ddd21955af7e3
RedLineStealer
661aa10b175ac662b937411d965e22085a7cbcdb60c1b86bcceb680d7dbf8c85
RedLineStealer
801584f33f7518cd0c7520f94a2be9dae2cb899f9c5a20ae3c120bac75cf0ed6
RedLineStealer
8be4a49e4a0cf13aa909d0aa371c52c2ca6de39e1d4bd61de194471418fbd0fb
RedLineStealer
ec455089514a7594f40640bc85c68ea44bc36d9baa88584e7f8c1d878ececf2e
RedLineStealer
ef4f6c2aa8c7b4637e6401659d869c1dc3e6a1358fb31f5442c7ed7e1bdec85d
RedLineStealer
f9b11cfc2e6839485057071f99d006e536f6275a3e48729c34c6629b8751bddb
RedLineStealer
ffc503e35e7884be31693005500cbf89858bf9d8017e3b10ac2144d0692c7929
RedLineStealer
+ 5'889 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ronam discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230218-j3vw5abd79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.17:4139
Unpacked files
SH256 hash:
b7b0c6ae94fecce159df458a4c67e84ba8c8b1e39d3279428568a393d49e8aaa
MD5 hash:
b8fe1f464e35838e160672e994d58220
SHA1 hash:
b3bb88ccaa506e8969067e0c3afcc10d009ea4cd
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a0f55f70-e15b-4335-b6a6-20d495e0cf6a/
Parent samples :
5b6679b660f325eca852d70b0d99e5bfdd6826c9a777167d94798f7c90663291
d23218868354efc4107040db6aebf4c097a96353e0ab394730f0b23eaab554d2
e28d97ea51bd1358c206ef5eefc7ed2d7349bcf493e70bad015c0aeea276eef8
46aaab86e703a417e047127b4cea47ce052df52f2de4f91329db50b004333514
51ccb6a2257545298badc3114136520da6b91d5932c54b0cc5bb837558440e8c
59229c7b70c40875d2d4dc19076b4d19fc32e2d3645530c5f80929543cd2cecc
3ffa015992650bbf7816552c1a97cc737f10b931c13d9cda673d75d3d0bc4af2
b0cf8442952168f43931a315e48588ac0fb3eae7793f7c568dc1015d3307abb0
fa1894cae66e526e056ca8733144a079b1e49eccd72d1e1a71d395884c11b765
ffc503e35e7884be31693005500cbf89858bf9d8017e3b10ac2144d0692c7929
8a102a4db4038e413d863950c4904308382468c83fd1a6a8430b179d3c22f409
97626bf100427484a73158accec393e92f98a78ed326fc959f8c420b7368f9c2
456758011a20b4844a9d635fe22f96af4b9f41d0596f502535d6bdeb9d7ad959
b652cde92a34f384214d605514ce2977fcaa8d7a336bf7c605e78fdfc023b2f6
3f2c4e9d21bed230d6d35b9f3982d67d9d514bdaf89207b3161ceb425ace0a9d
3eca2d42bf74dfdcb63444f6d2efd4ada5c0621f5a9b877f981bb55b1fcf6a8e
239d8d737fb793b73074e1a1151d00785d914d681f15cb205abd99b04bebfe22
a66f5babbd0c32c187e73ad6d3c0b4c01a51ba73e19ad3b250b1c5f733b781da
a58d702acf3da7be2deaeffa4d2d58e4aa7959f5edcb81c2af77311bf8c8609e
801584f33f7518cd0c7520f94a2be9dae2cb899f9c5a20ae3c120bac75cf0ed6
9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
5cda278396be9ad779e31b37e00b9751e944127f4b6df8ac5ebdfd767da70a8e
ba9b8dd31763548a5fe839c1911b3a6ec913f10f76ab5d7843aa89a0b9413b84
2850a4cfaf2a7c6f1347e71f9466cc779ff3adcf54583d29769130954910a310
d3cb7ec0a3ad5abe44e87d36243bbe2c15e544f6a0c6d94f928897351e7fb9e6
6ff16975cf50ef941b98d30c53979d49a945546f909f45183f6fe3541dbd07c7
aead3211ec364534b370cdb6dfa3a209cbcf9bc996e380148c03eb44a6bb28f1
ac1f34b312ed3c907e60ab5998d571c5d7eb5320404c7b7d466a65a4656437f3
c2400ff0db9c8705af0225ae397a3c7048717a7857d7a929cc8d80e4668ebe25
f0de95ce126151d1ea32a246ca91789a0efaa766f4dea18bc294301f0bbd36e7
0d9f8f4fb079a2ee381ff6b64bd93426dbeb03f935781099e58fa6516d788552
b7815413451c983c73d263da603598bd47011bcd2cf7f0baffe9bf1231a3d3e7
b3c27f3d4e2517d9b7ba380187da4076ea7a498e9409fc2ca313427180f5c0fb
186ae3c3d19e037512a0c7e8f8036abe43a5a10158c0753996948a5acb6889dd
d51b529b848157008ae7495b156b6a47462e98d3b2e77354cb15768c63ef3ff7
2f410840009abee6d4a83cc6482cb7da5f186b38392bd04da20045c2d12bd85d
c61e47adb5dd3cd4914fb5a59be85e143adada6991b956ef33b5693f4f59c284
db3b63b74d18e26ece81dd88be494382026191d510cdef9ff2108e41009545dd
9ab621042d607cbd32de851e158f9069e38643adf4e1155d8f842e53b50bc9fb
1f19699a6cebc09348c0033e3027bfd92d20014b74df85f36622c65482629459
01a4d474bb873397b572bcb6babf556a2b00c866424acd92f9eb478b46e42112
485f925edd2e71f8a06be73c4cbcf0c4cd9f9e5cf6bf580ed9ce4939a3f7bf4a
6e2801f8f42db2a31e99ac5c7ebf2d693d78dd099f9ba3388e58fbd181c343ca
93afdf95025f723ca841c251a9189d52d9b0a04f8ba27e9a99cdac45e280db9e
9c85f5482a1e67795fb5f8fbdb11d1fcd649999fd243eb802d69e54af547f76a
30fae0cfca494715f6252ffb6f20f822ebb250df7e6db46d3a565f3600a9788a
2f5eb84fce28f5c72817232fcd4447480cc37797991de825b5c74cd1bb64a5f2
00a7d28a276609b852406decc4a1fd384d618bcf2a88d8b36732812f557d8751
ae18ef500de766c88a9ed7f1da89fed136a4e235918dfaae0e74ee5d158a8928
186b6114ae97b541695924f8b616331e53d7e48ec9e36acd067e8599423838d0
8e7f7bf4457e9fe9827c45e7976a7bdd3abe27df02e9a21ec25a7ea901ba665a
1b4fe3e40543d3f9837f5181ecb93f816982f46331a6136823c558bebaa99f63
931d72ff6bc6ddd93a40d71444a30ba7ea938b51092b8a74050ce89b630633de
d654c363b8f320c5fd2d544804afffe3ee33c20afc694c42887d5c7a36ea7ac4
1598a44723a94b31630797016221fdfeb8a2d8f3d030956f806040591966da1f
cfbe3d196180b4414a2041378aaa59b626f6d6acde5caef78176896f0636dee1
9116c9364f50a5e9a6217052af6ced5664490230edced716bfd7979fb855d7a5
f4565199231418a4e651250524064d521d249ea5fe006f66c29f4f765877b47c
2480422d1db35870be30ffd2245818b5ac1be51fba181faac08a9a3d7d76a6fc
7eafd8bc7dd24a15b1b93a62dff90ded9c704257fed9b7c73c42014153da2891
1c8131d96627850ef7705c3a9ad5b3c3888ef7330a785ad395cd8dd0b454992b
c11174490a7e628526c6318ea3051f5afc8e8cf7b5fafb8892dd9d935b464c4e
9d26635b8972f1515f97a96bafc908ded40a19b73c6a33151bfce91bc5b14c1e
29881cb13215ee9c2a06a3fb4b99e648075295817a9a8a5dcee3a07ce54589bd
14e611f77744c67113c3f5c209d2ade2a7606f81857e8296316c6b2da1bdd46d
97130fafe31570ab27bdc2f12ba3c61cfe7c618d12d49d6dcfa29fd318c1d848
3144bc97305faff4865049033947b668dc6e4e9ed898cecc8250e3292832bde5
9f4f3f22af197f4d90b1c5088048b3c3dcd06df27542a0cf4ecde1fd3ae99b7d
f5f2dbad54020400d35d3695fa6aa371a46a33cd611f4a34d937df318c241fc8
7b5f0d16c4cad1c899c849680616a959513287d598e6b25a4f8ec14b97326ea9
b79b58356ebbdd8536a88281842c1f6b62c7e81374519866e69069583d6226f8
0f81ae7e1e05d9ca053baa1335ab2749c591092a9fccd394f50263724f662c21
3c4db62895138733283911f7d7b8b26cc75672c72fbc99fe296542fbf3c18bac
023a6207ce76f58f7880f4a29f12a8022f4f770453cfe273ab784cd99fe741ab
ab10b7196b052edfc7b5f67c255964e4fb86d1027928723c4e1ca62adf8fe15c
0b9f86176ad741bb0f758d709e1c575edba2d7c5d0273db318c22f0eac38454e
4d02e2c75e0c1a93f6b2285a7964385cebae63fbd8e49f59095808de24faa09f
448f71facff90f355308916d8c05f76b11e0c95cbd3e7144562809d9a2c18cee
4f5f2a0d5fc97d3c4b2a6f6096387ee0ff7eff1974febe635e3dc0f09a2abb92
53ae05b08fee241dc3b6925fa631b50e81f3faa4ecdc9090dabb1b871e7f90dd
7ead88553a0e5cd16bf07cd5938ad5d4dd7ff68c9221091869bf97b888d2ac0f
b599efd2e66c673820cfd676d9d8095066961d6feb61c6d435144a0d9b226a71
SH256 hash:
a31c1b513ceb579e5282194136be60525eff4c58537cbeb986cce00248531b6b
MD5 hash:
6fba81051e3c0b01419eeedc45773817
SHA1 hash:
8e1df7285525adda41e25533c76a4f3719fb125b
Link:
https://www.unpac.me/results/a0f55f70-e15b-4335-b6a6-20d495e0cf6a/
SH256 hash:
22dfd1f11a3f3bb9e5bf16922860be23f56f1a874a5e54bcd7f680983f9e10ae
MD5 hash:
5b476eda2b2e0c75918a5945d28b7638
SHA1 hash:
657c5dd54ead58318f50c00626a07ad93b54f100
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a0f55f70-e15b-4335-b6a6-20d495e0cf6a/
Parent samples :
5b6679b660f325eca852d70b0d99e5bfdd6826c9a777167d94798f7c90663291
59229c7b70c40875d2d4dc19076b4d19fc32e2d3645530c5f80929543cd2cecc
3ffa015992650bbf7816552c1a97cc737f10b931c13d9cda673d75d3d0bc4af2
b0cf8442952168f43931a315e48588ac0fb3eae7793f7c568dc1015d3307abb0
8a102a4db4038e413d863950c4904308382468c83fd1a6a8430b179d3c22f409
97626bf100427484a73158accec393e92f98a78ed326fc959f8c420b7368f9c2
456758011a20b4844a9d635fe22f96af4b9f41d0596f502535d6bdeb9d7ad959
3f2c4e9d21bed230d6d35b9f3982d67d9d514bdaf89207b3161ceb425ace0a9d
239d8d737fb793b73074e1a1151d00785d914d681f15cb205abd99b04bebfe22
a66f5babbd0c32c187e73ad6d3c0b4c01a51ba73e19ad3b250b1c5f733b781da
9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
2850a4cfaf2a7c6f1347e71f9466cc779ff3adcf54583d29769130954910a310
d3cb7ec0a3ad5abe44e87d36243bbe2c15e544f6a0c6d94f928897351e7fb9e6
6ff16975cf50ef941b98d30c53979d49a945546f909f45183f6fe3541dbd07c7
ac1f34b312ed3c907e60ab5998d571c5d7eb5320404c7b7d466a65a4656437f3
f0de95ce126151d1ea32a246ca91789a0efaa766f4dea18bc294301f0bbd36e7
b3c27f3d4e2517d9b7ba380187da4076ea7a498e9409fc2ca313427180f5c0fb
186ae3c3d19e037512a0c7e8f8036abe43a5a10158c0753996948a5acb6889dd
d51b529b848157008ae7495b156b6a47462e98d3b2e77354cb15768c63ef3ff7
2f410840009abee6d4a83cc6482cb7da5f186b38392bd04da20045c2d12bd85d
c61e47adb5dd3cd4914fb5a59be85e143adada6991b956ef33b5693f4f59c284
9ab621042d607cbd32de851e158f9069e38643adf4e1155d8f842e53b50bc9fb
1f19699a6cebc09348c0033e3027bfd92d20014b74df85f36622c65482629459
485f925edd2e71f8a06be73c4cbcf0c4cd9f9e5cf6bf580ed9ce4939a3f7bf4a
93afdf95025f723ca841c251a9189d52d9b0a04f8ba27e9a99cdac45e280db9e
9c85f5482a1e67795fb5f8fbdb11d1fcd649999fd243eb802d69e54af547f76a
2f5eb84fce28f5c72817232fcd4447480cc37797991de825b5c74cd1bb64a5f2
00a7d28a276609b852406decc4a1fd384d618bcf2a88d8b36732812f557d8751
8e7f7bf4457e9fe9827c45e7976a7bdd3abe27df02e9a21ec25a7ea901ba665a
1b4fe3e40543d3f9837f5181ecb93f816982f46331a6136823c558bebaa99f63
931d72ff6bc6ddd93a40d71444a30ba7ea938b51092b8a74050ce89b630633de
cfbe3d196180b4414a2041378aaa59b626f6d6acde5caef78176896f0636dee1
9116c9364f50a5e9a6217052af6ced5664490230edced716bfd7979fb855d7a5
2480422d1db35870be30ffd2245818b5ac1be51fba181faac08a9a3d7d76a6fc
1c8131d96627850ef7705c3a9ad5b3c3888ef7330a785ad395cd8dd0b454992b
c11174490a7e628526c6318ea3051f5afc8e8cf7b5fafb8892dd9d935b464c4e
9d26635b8972f1515f97a96bafc908ded40a19b73c6a33151bfce91bc5b14c1e
f5f2dbad54020400d35d3695fa6aa371a46a33cd611f4a34d937df318c241fc8
b79b58356ebbdd8536a88281842c1f6b62c7e81374519866e69069583d6226f8
ab10b7196b052edfc7b5f67c255964e4fb86d1027928723c4e1ca62adf8fe15c
0b9f86176ad741bb0f758d709e1c575edba2d7c5d0273db318c22f0eac38454e
4d02e2c75e0c1a93f6b2285a7964385cebae63fbd8e49f59095808de24faa09f
448f71facff90f355308916d8c05f76b11e0c95cbd3e7144562809d9a2c18cee
53ae05b08fee241dc3b6925fa631b50e81f3faa4ecdc9090dabb1b871e7f90dd
75bf369db5c49e62ca1cfa8337902de9830f73ab3e7d9a636513c078e639c042
ffb9aaeabb07b07ab4f7fb2e4d62dc7ade2e5fb55ed3b43fc38a81ec6fbd4dac
b599efd2e66c673820cfd676d9d8095066961d6feb61c6d435144a0d9b226a71
10c301f78c4ab9a5b1be09c8abdaa7092a1b6591e1a374d9cbb4c53111b8ffee
34e214de59f87335c4107f7148ee5e98d31ce33224ae45f6ad6356025d53da14
SH256 hash:
9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b
MD5 hash:
792c71d5b41dc84e43dab64f1814c025
SHA1 hash:
cf8b763bd96df2730a15962a329e0acbd8ec72ec
Link:
https://www.unpac.me/results/a0f55f70-e15b-4335-b6a6-20d495e0cf6a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f68cb3cb138/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9f68cb3cb138b1d4a5d44f8d7a726cad0f006e1939aa4f44620d45c60a93412b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532610/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/367930/

Comments