MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
SHA3-384 hash: ba968efdd1efe525767d3f767ca0745e89abbcc6aae8ca1728039ec5fb351e4e113394011976b5f2d740e6a971335506
SHA1 hash: 68eabdb803cb5a7764364b7d30991b231de59690
MD5 hash: 44f44dded8ad5ef66bd928d17f748923
humanhash: washington-delta-illinois-angel
File name:44f44dded8ad5ef66bd928d17f748923.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:378'880 bytes
First seen:2023-07-20 10:17:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 675e338c40bc907ae80a56e3e3f59843 (2 x RedLineStealer)
ssdeep 6144:8t0LSNWG423ZcjxPqwh6JhzkqdZBMvbjEenmgJS:+0+NWG42JcjIwhS9kN5JS
Threatray 150 similar samples on MalwareBazaar
TLSH T16C840983C7A23D49E9278B769E2FC6E8764DF6508F4D377D62189A2F04B01B3D1A7610
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0030c09010381800 (2 x RedLineStealer, 1 x Stop, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.32.90.250:29608

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
44f44dded8ad5ef66bd928d17f748923.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 10:21:01 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/7db02ea4-fef4-43ce-9530-26143621816e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425980/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b909eabff77678e74747ea/reports/308021e9-dbb9-4232-b1ce-48e3f7e2cbce/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce350a91-218d-4e36-83f4-0d4975f2d0f7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276649
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa/
Threat name:
Win32.Ransomware.Stopcrypt
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 10:18:15 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whxy5d6dltepszdkfhutgiwoeppddiqyexxym65jx6iduib5l35a._file
Verdict:
malicious
Similar samples:
205b16fb503856c22a47de9919147f75eca374fa0c0b9a63e734483e71bb4a47
RedLineStealer
40d13591223dbd911748629e13c2530c4a8f9a1c406aa82f07354f0eb787f4dd
RedLineStealer
5f1c7c05ef502fa4b2bb54351f0ae38a73d25d728e2aa370e739cced90aefb04
RedLineStealer
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
RedLineStealer
6eaec8aaa320b804bf32bde89dfe45ae19c69636b1bd0b38ac0034afd6096d11
RedLineStealer
78a80da889fb77e1536903aa1d2abef676b1663c0cdff25dc03f16254ea2168e
RedLineStealer
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
RedLineStealer
a8ab824da87f6df5db7402a67edca0baf3b2da422ab48dbded3d03cb9e137ed5
RedLineStealer
d3b95985bbdac941180a93d4e2ce29a9fae660f79b2f740eea472d306cb2a062
RedLineStealer
e8d7197a7c6ba760b398ebe50fb5ca8770e454fca9da731438eb329b8db56c3d
RedLineStealer
+ 140 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230720-mbyqgsfd86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
178.32.90.250:29608
Unpacked files
SH256 hash:
fd7fcb15664a8d6b15f986edf7b1b89ac04fd0b7e2c75ba51f2d7be2b16bd25e
MD5 hash:
226ebe2b896adda7d7ca7808c7830e79
SHA1 hash:
dbc7a3619f3ae0e77d983718ddf7447ff9aa2e0c
Link:
https://www.unpac.me/results/2ba77745-596c-4cf0-8c83-184565ebd351/
SH256 hash:
055d23615d232b3b26dce994eb4e011505be13199c97610974f011bba0adc805
MD5 hash:
84fdf79fc25c72aa2a12972d25e8476b
SHA1 hash:
72288d6450b272481eb9a606367f7ee848427f98
Link:
https://www.unpac.me/results/2ba77745-596c-4cf0-8c83-184565ebd351/
SH256 hash:
6b50f48dd61d0e8af9d39ec9c4326a28cd3298e8b336bfdd5c81cd3db2bb1e54
MD5 hash:
c5634c071c4a20379d58bf9e5f4d9a8c
SHA1 hash:
3c5e48ad01611b0c79b204ec398c9b3d8a30a21e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2ba77745-596c-4cf0-8c83-184565ebd351/
Parent samples :
d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2
SH256 hash:
6178ca1d58de3919bbb2953d0571abab36e10d95f83624ec6cd174b1d29aade1
MD5 hash:
92466a9033e3c20a4a960a352ddc1781
SHA1 hash:
35716bf3775bd1662e9359d74fbcbcfcc8427709
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2ba77745-596c-4cf0-8c83-184565ebd351/
Parent samples :
d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2
SH256 hash:
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
MD5 hash:
44f44dded8ad5ef66bd928d17f748923
SHA1 hash:
68eabdb803cb5a7764364b7d30991b231de59690
Link:
https://www.unpac.me/results/2ba77745-596c-4cf0-8c83-184565ebd351/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1ef8e8fc35c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2686296/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/425980/

Comments