MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4
SHA3-384 hash:	f77cfe363c3891bf52545c13373bbd4436cbb6a99f7cdc9913ed2e359f5ae33d270cc24f17e550bd0e6355484485c48f
SHA1 hash:	9379d59b5c6105c9ba7c08b99404ea696372c124
MD5 hash:	780702b55bf0f995e46ce8d6fcc2fff0
humanhash:	carpet-mobile-lake-lithium
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'191'424 bytes
First seen:	2022-10-24 07:15:53 UTC
Last seen:	2022-10-24 18:14:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f9dd8a0feaf4fa9fd20d4d8ea4827100 (17 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	24576:kR0C2AYpYjgHfpMb/sYU3Gn4y/JB1bwX8c:q0CQ4B3oN
Threatray	2'267 similar samples on MalwareBazaar
TLSH	T1A0455B29FB0725B4DA235371895FEA7B9B147A148032EE7FFF8BDA08B4330127845665
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc733883836_657424669?hash=lYQ0ABWCPO5yWkwr17ldBUB23ANKhMtk3ohzp5XcAjs&dl=G4ZTGOBYGM4DGNQ:1666595217:Qr40ZzeMXPldEdiqBI0z3seql9BMOZoBzY8NUqFh4nP&api=1&no_preview=1#new

Intelligence

File Origin

# of uploads :

326

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-24 07:16:54 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/b496502d-b7b5-4252-9c3f-74d35336ba3a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323248/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a6063f1-aea2-4f4d-a053-1539440403f2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096250

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-24 08:13:55 UTC

File Type:

PE (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v23b6beboyp4smlewx7fle2dcq4pujjr6y3v6pmisodufvz3vxsa._file

Verdict:

malicious

RedLineStealer

32b56b40f161ae8174b790aabcf240593d33b0b5d9003949e00dec168f06c8ab

RedLineStealer

3f9743110bc5c7fc10691f6d2b4625eec8a83fd1ac0ba013761d94959d1c822c

RedLineStealer

4baad1bdeba458bce02653fe5c28afb57116bd69671345279c37d0b33b79c0a1

RedLineStealer

8513c5a6cb2803d9297604afb67db9591f7becc4305afa6860d54beae5167d67

RedLineStealer

97f002b5398f5c8d860363444caaaee16e40d2376a97d7a9a89def630512608e

RedLineStealer

+ 2'257 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:new1024 infostealer spyware

Link:

https://tria.ge/reports/221024-h3sw4afcdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

denestyenol.xyz:81
exirdonanos.xyz:81

Unpacked files

SH256 hash:

46ec4f6144f736740d0ad70c1dcca2c649dc6977065bd9732871c66de93ae3a5

MD5 hash:

7f70d188bd08b9065589d6664961d149

SHA1 hash:

c53aaff1b1d79c6df3290569ab1b12231374085f

Detections:

redline

Link:

https://www.unpac.me/results/ab5565b1-9a9a-47f9-87d0-8c402281dab1/

SH256 hash:

aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4

MD5 hash:

780702b55bf0f995e46ce8d6fcc2fff0

SHA1 hash:

9379d59b5c6105c9ba7c08b99404ea696372c124

Link:

https://www.unpac.me/results/ab5565b1-9a9a-47f9-87d0-8c402281dab1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aeb61f048176/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/323248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample