MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5
SHA3-384 hash:	e91302cfae0ea1251a7aecaa221253845cb0504a01c8f1798a44480e522e3b9f15f8e434d91bae2ae531c8f836ea186f
SHA1 hash:	f6c590bd2a41ce149bdcc0e7715a046593da3fd0
MD5 hash:	b0c5c151249d7428e03945e616140b72
humanhash:	stairway-king-lamp-robin
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	222'208 bytes
First seen:	2022-11-23 12:41:58 UTC
Last seen:	2022-11-23 14:38:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f889c281b8c32c3abe6d39de60b78eca (19 x RedLineStealer)
ssdeep	3072:EW84v790Lox+J4ETyre2xRc0jqr76OlnA9DMpYU4KZe8JbJ3Yl6PR+cpY8jwVS:EWfvZ0Loqwe2xrjq6O4MJ4bM5Y4+cE
Threatray	1'594 similar samples on MalwareBazaar
TLSH	T130249D1774C0B131C45FC6B121A54BE7003FE6B327E6960AA30C5E1EB6615FA63A2BF5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-23 12:44:47 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ee550abe-85c8-4362-9740-381dbd0b98fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/337596/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.125.11603.13324.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Launching the default Windows debugger (dwwin.exe)

Connecting to a non-recommended domain

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/637e151c151dc20f68a7ad04/reports/73b12439-2d14-41de-ba4b-edd43a177660/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1165b3d3-b229-48e9-8922-d6c479a11e9d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119691

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-11-23 12:42:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvi7ijwomvoqgclkoch72d66ylzkooiazz5cncdgtxlfenzxchkq._file

Verdict:

malicious

RedLineStealer

1c1b1d19e8811b999d628b5af81dd2bc87e8da7d9339b97af4511346b4d6ea3b

RedLineStealer

200bb7cb4ff972ed61d1f4d6b2893dc611e8aa1005bbba8b28d1b7e56f6677f4

RedLineStealer

338cc123ec7abe0d687cf0495afee191e9cc4a2a349356b659f048537536b8cd

RedLineStealer

46e18fad13ebfad29bed81f274e06e412972bf4ff5a30785cf7417386d16b50a

RedLineStealer

57bf65723e2e88cb15192a635854f6206d608dee41e2767a4e6b56d9f930dba8

RedLineStealer

b3e14be741aad18d69038dfff3faef9f99a0974df8d7032fdab383a30cadbedd

RedLineStealer

+ 1'584 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@madboyza infostealer spyware

Link:

https://tria.ge/reports/221123-pxb5qacd82/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.106.191.138:32796

Unpacked files

SH256 hash:

9dd5783e9f43622a87333d58ccedea122b3105b486cea24738341ef1c8405807

MD5 hash:

36609b0b49fed631b2975737adf6a54c

SHA1 hash:

a53f6e723d944242ce1dc3fb6b42d24a709171ef

Detections:

redline

Link:

https://www.unpac.me/results/9c268887-b218-4913-94c5-83fde86768fc/

Parent samples :

4793af5e6a701a792d1231a4207b99300825299b23955328972acbfde974e767
560e0662eecb2264719ca61bba61b346859bea504df1d56fcd3187bc9c76c127
75343ea11a86a196b2d96631f2ad6e356c174b7384bb65ee48a85127de6398a1
af01210f66e352694f6afa5e1ae902e8695ad97f64f20718e8a6b9f304b49205
f141b20a08ae1ee0caebf6546670eec63877fb24f9fa54f5dc9e7f49ff2227b5
16dc4e660bb8bad9fe37dfd3e48bab7186c534cb74038908761dc96fcf631b0c
e160c6a1598c4b3465b0a2399b72365dc98fc7303d0fb1df75efbef3dd47a7ac
82237a370ea8967bc2307c2a01d43714888b69eaae6f3e3aa0cf536cd3381cbb
3f37bdfc487c25b9a7b7ade0574a221cbc4c6976f8d5b46a2bcf08f6c0c5ed96
9a11305a7524bab8a9c9beba2ee51f9f3f43d3492d62404d16db4dad089c2a4c
c4a4d4a5ac19fdbeb6006a9cada8cf5874f3d54007c298ac0194d093cb27a8df
c3c9d57b69a22007ac8f0d953dd65a969ce5cd5b28bf32f01348d4c39d04cc97
f6e87692e433ad1d832706b4ffb04db9be5324aad182dbaca8771532dbd8ab43
3655cc3e4e09965e4e1d928ab39adfbbf48d2fe8a8b4ac82b1f7b5106d4b3060
4011f8505bd51033b7630c9bf8d3980a7ef32bff63d4cbb93a8670cd8970191a
d215e0f12d216e67363b0ebc350ef577d18394391ac2e67bd1be80b017c754bd
2001a40e77d8a37b42e506df3cdd3a86235dd96c98858269266b9dce091067f3
390d379f35583beb0d78a110c94deb8f9f1d86f044aeeab747941a6694a024f1
6daf7900ef4d017304e938a43288641ce01d198226d38ca1bbcb698174d1cc58
2df68056b556372617da4d90083f12ba94a356c2f5ed42de0538b4f7977beb47
bfa81a7cdd552a98409482bf39993652c5b01e39028c4d18236c55fe87fff9dc
11795c605b8b8d1577a59529f2d6eb3ef19a0a928ff9a6aa9ee2e7ba8911e6fa
63d2833a7277e21b3424b9c1a0cdbb3e0ffa351618d15571e042bab6ac0719ca
44823ecea45f731b47777588d5ef18c133b6ed1bd0ce02ef8271a84c7d2dd9d1
4fa7a289bbd1d429cd82588d82a7fabb7d7d860772a43d39a5c0c3b7048c9513
57bf65723e2e88cb15192a635854f6206d608dee41e2767a4e6b56d9f930dba8
338cc123ec7abe0d687cf0495afee191e9cc4a2a349356b659f048537536b8cd
46e18fad13ebfad29bed81f274e06e412972bf4ff5a30785cf7417386d16b50a
8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114
204d101b1ac41060d5e04d0aaaddac9330e9f71dfb838a48f066cd78e2e14069
f7f8331fdca8b5295b827ff019422c7e7cb230b2a44ff55c741cbf76bc3b5921
65bd762c2dd45d442278e1403bb99a14106699d1f74060333693439c189adb87
a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5
42cf041d4d3d613c8cb9fdef4d97ae376ba6aedee91334d7ba90cac8e406a915
8d12ae8f190f7aded36f1969061fdd1c3561fb57134a9337bf089004bb22d93f
3af19579e2c8eb86693ee66a7a8480341ac21c6a182f26019d55848ce331035e
940500749a001e36878aff9894508ae739fbcda7b2c86d6ec08114343641c7f8
8ff06f162af40677ce2ca5e03c1152917970948210b8c0046aeeacfc605ef37e
e7eacedacc384d3a016897ec73941f0631e677aceabd2d197699702450858b1c
9bf3326064cae1d3dc2eeba1047cced65ffdf6b25231bb50c92ccbf88471ebd0
b899357e86ada031c0193c56e29b2c9321970d6346be050b019ddfd800c0fee8
70cb9d5fe361f791922e3078552cc8bd92a232394a563c541f0364007411580c

SH256 hash:

a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5

MD5 hash:

b0c5c151249d7428e03945e616140b72

SHA1 hash:

f6c590bd2a41ce149bdcc0e7715a046593da3fd0

Link:

https://www.unpac.me/results/9c268887-b218-4913-94c5-83fde86768fc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a551f426ce65/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Win32_Trojan_RedLineStealer Create hunting rule
Author:	Netskope Threat Labs
Description:	Identifies RedLine Stealer samples
Reference:	deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/337596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample