MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
SHA3-384 hash: 06dd93935a6d03703bad03e5548cc88e58290dfc407ce1e10ad3b73ebc3fa3eed6527db7451384b8fa301133884e998f
SHA1 hash: 36830e973c50a88f0e49a201730af3e04c995c1f
MD5 hash: 6d3a88a202ef9616439751588421a6de
humanhash: california-shade-solar-louisiana
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:249'344 bytes
First seen:2023-07-14 12:31:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2c874c7d15ad5fc4faa356082475621 (3 x RedLineStealer, 1 x Fabookie)
ssdeep 3072:YQLkmP451iuiDJYFPINDXQ38UT5xS5FEOcuuaKthrHeRKYIbWpu4E5I8:rLkmAkoKuOpudeRCKpui8
Threatray 127 similar samples on MalwareBazaar
TLSH T11A34F02139E1CC72D116D9391C61C2A4AD2FB8725B72EDD777681A3A4F312C287BD34A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0818091248402000 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.136:3004/

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-14 12:36:01 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/537e2fb4-e294-4dbd-ac61-cbbc5b87c99a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418857/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d64c9f06-4e6b-4276-82ac-e3b894dd4e5e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273157
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 12:32:04 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wv66g6ua65ahrkld37bo6webeuf6je23bxhbaoxr4fdzdfoatb3a._file
Verdict:
malicious
Similar samples:
02faea4481281e7d6e4bd48f06e969b6a9854d4746525af6ccae7a9748b49b95
RedLineStealer
1e34106fd70c84ab8a1a0b27425e2f6d53500fc48bbdc5b02041fb3459721473
RedLineStealer
2a5de2e7ec1dcc3e5b3c1a702b2efd8a60f928dfd641f152212647ed0c067218
RedLineStealer
39ff18916d45394e08dd2c2bd297f30671829ea91812af3c2a0a32b73d274e69
RedLineStealer
57641aef77ca6506c2ae922b35261631de04da377750a3494acbf7ca8951ac9b
RedLineStealer
5a6efc81f1a3e1c8266cbacdeaf04ee400dfcc3bc5998c6df13e68ad6f51cdc7
RedLineStealer
642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa
RedLineStealer
e6b5e4a15de0758793c71dd1b8ae4b6362a127148f70e25d8844156f114a86c0
RedLineStealer
f22e976a3cc892e7c21cf6e222d0cf2e0e6c0dc0f7b882c7ac8d365a1e3b4cd1
RedLineStealer
+ 117 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230714-pql2caee8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
147.135.165.22:17748
Unpacked files
SH256 hash:
61b665c9d8c6bb36efbc081af7030d7e718131d9127c78d7c48471b3c49d0b11
MD5 hash:
ef52db00c32eeb6297612393e4b31d27
SHA1 hash:
e3df44ad822b71873567544c7894f91aa19f87b5
Link:
https://www.unpac.me/results/fa08384b-af59-44b0-933f-a69f09900fe7/
SH256 hash:
e6d5c75e062e590de5bccb3f2d348da93d3369060ac4724a097df9a84bc2906c
MD5 hash:
dee4dac93828efe1377fd597e394bb91
SHA1 hash:
b618a9f382ff66393bd564307d9bd908626555b1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fa08384b-af59-44b0-933f-a69f09900fe7/
Parent samples :
904dc186be98665e05bbadc41d8e5e6aea449d40027e726c96dc184c15e77c8f
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0
84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026
SH256 hash:
69cdae1909872cf0df31b20fea0b448ea41e51203a664f5f309f5d5e27ee90e3
MD5 hash:
c4e84afb3e6ac5912f3ce8f7c37ce5ff
SHA1 hash:
a553d631ac0142489230feb92cc1cca38596dffc
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fa08384b-af59-44b0-933f-a69f09900fe7/
Parent samples :
904dc186be98665e05bbadc41d8e5e6aea449d40027e726c96dc184c15e77c8f
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0
84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026
SH256 hash:
4746a9777ee10aceaf482c9f7aa48c7e8e688a9f2e105ed40565867736b7db5b
MD5 hash:
baf4c16080b5a398b82067484c3fe88b
SHA1 hash:
5f127ae2c31d9f6b7042f62bf49c3c2720151a56
Link:
https://www.unpac.me/results/fa08384b-af59-44b0-933f-a69f09900fe7/
SH256 hash:
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
MD5 hash:
6d3a88a202ef9616439751588421a6de
SHA1 hash:
36830e973c50a88f0e49a201730af3e04c995c1f
Link:
https://www.unpac.me/results/fa08384b-af59-44b0-933f-a69f09900fe7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b57de37a80f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2682583/
Cape
Cape
https://www.capesandbox.com/analysis/418857/

Comments