MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad
SHA3-384 hash: 893f557298726ffcfc7932affdb298ed4767f954a70b3288dac6f1eb25a535f0d9d21ed4f58468edcbacbacd77b15c0c
SHA1 hash: 4a45756615c240b02feceabb59119eba7fff3f3a
MD5 hash: 9f3f42cbb36a27bf6a7a16e812f49351
humanhash: oxygen-salami-eight-uranus
File name:Blender 2.93.0 Crack Key 3D (Torrent) Free Download Downloader.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:407'040 bytes
First seen:2022-11-26 23:08:16 UTC
Last seen:2022-11-27 00:49:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:Wl9DXemLxKWKyiLmx7lOz5h2HvOT/5rkgfq:cZXBLxriLm7wPIvODf
Threatray 678 similar samples on MalwareBazaar
TLSH T17D84E1B99080A157E7AF457C20913E39C6669E88DB505F0678D11E338EACE4F0629FDF
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338882/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.30897.12503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Blocking the User Account Control
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed redline
Link:
https://www.filescan.io/uploads/63829c8e00c584752ee20711/reports/5353e2a9-7cb2-44d2-84d8-ce833f16fc1a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/13647add-80d1-4c76-bd2c-ba7b3a1160ef
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121738
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files with lurking names (e.g. Crack.exe)
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754455 Sample: Blender 2.93.0 Crack Key  3... Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 9 other signatures 2->44 7 Blender 2.93.0 Crack Key  3D (Torrent) Free Download Downloader.exe 1 2 2->7         started        process3 file4 24 Blender 2.93.0 Cra... Downloader.exe.log, CSV 7->24 dropped 52 Creates files with lurking names (e.g. Crack.exe) 7->52 54 Writes to foreign memory regions 7->54 56 Adds a directory exclusion to Windows Defender 7->56 58 2 other signatures 7->58 11 InstallUtil.exe 15 7 7->11         started        16 powershell.exe 21 7->16         started        signatures5 process6 dnsIp7 34 77.73.134.2, 24200, 49703 FIBEROPTIXDE Kazakhstan 11->34 36 gitlab.com 172.65.251.78, 443, 49704 CLOUDFLARENETUS United States 11->36 26 C:\Users\user\AppData\Local\...\651387795.exe, PE32 11->26 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->60 62 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->62 64 Tries to harvest and steal browser information (history, passwords, etc) 11->64 66 Tries to steal Crypto Currency Wallets 11->66 18 651387795.exe 11->18         started        22 conhost.exe 16->22         started        file8 signatures9 process10 dnsIp11 28 youtube-ui.l.google.com 142.250.203.110, 443, 49705 GOOGLEUS United States 18->28 30 accounts.google.com 172.217.168.45, 443, 49706, 49707 GOOGLEUS United States 18->30 32 www.youtube.com 18->32 46 Multi AV Scanner detection for dropped file 18->46 48 Machine Learning detection for dropped file 18->48 50 Tries to harvest and steal browser information (history, passwords, etc) 18->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad/
Threat name:
Win64.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 23:09:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubx5hhqm5xlr55ibstw7epvrj5472lky6ejxqubr6eqqlazfa6wq._file
Verdict:
unknown
Similar samples:
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece
RedLineStealer
17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
RedLineStealer
33a234f3faa0307efb4e286af5df42a3a71ce440f9be28075d7ec9c669e81df7
RedLineStealer
c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3
RedLineStealer
d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1
RedLineStealer
d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560
RedLineStealer
fcaf490e6ee9254f89eecbce2dd1dfa355e450c30a8648e7db43db4c5e9e434d
RedLineStealer
ff861cbd5dd1021564dbd050ee3cc084a7cc05d45295b3abd3ceb1cf020b7a9a
RedLineStealer
+ 668 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lx2610 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/221126-24381afd5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
RedLine
RedLine payload
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
77.73.134.2:24200
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f57db8b4-1b2f-4594-9748-de5ca0bb99a5
Unpacked files
SH256 hash:
a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad
MD5 hash:
9f3f42cbb36a27bf6a7a16e812f49351
SHA1 hash:
4a45756615c240b02feceabb59119eba7fff3f3a
Link:
https://www.unpac.me/results/ac58c23f-3fa2-420b-896a-6b0477ddf3f3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a06fd39e0ced/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a06fd39e0cedd71ef50194edf23eb14f79fd2d58f113785031f12105832507ad

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338882/

Comments