MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c2766ed1e7a6a04a9cca64a805af559185ed978769eb5c19f681207b933387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b5c2766ed1e7a6a04a9cca64a805af559185ed978769eb5c19f681207b933387
SHA3-384 hash:	b783cea5bb02b028b6ec273750e3c3449078d034d563898addb017c3e0a6fad1d4a1e0612a72958316c318378cf79986
SHA1 hash:	7982388f1ed0118d9e456e30c515cbcf93bfdda7
MD5 hash:	9a3dfddd931eac9bda5f66a2249f6256
humanhash:	hotel-dakota-earth-batman
File name:	9a3dfddd931eac9bda5f66a2249f6256.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	385'536 bytes
First seen:	2022-04-18 08:50:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e358d30c2dc06052dc73bb8d4e25c1a4 (5 x RedLineStealer, 1 x N-W0rm)
ssdeep	6144:TQAhUXhkNqOSXl53mRVuhnqbtQE3gIJ9b75XdsaxaPMGigaU:TQAhUXhkNqHXl52RVuhiQEQ09b75X17b
Threatray	2'815 similar samples on MalwareBazaar
TLSH	T18184E0117AF2C432E2F31F346474D7A269BFB8326930844AE7545BAE5E303D1AAB1717
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2f0ccf0d4d4b2cc (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.204:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.204:23196	https://threatfox.abuse.ch/ioc/520635/

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-04-18 06:39:45 UTC

Tags:

evasion trojan socelars stealer loader opendir rat redline ransomware stop phishing vidar arkei

Link:

https://app.any.run/tasks/5ca438f2-ad0c-4b5c-ac5e-b15b3edbca0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264299/

Detection(s):

Win.Dropper.Tofsee-9916206-0

Win.Malware.Filerepmalware-9941437-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hlux tofsee

Link:

https://www.filescan.io/uploads/625d2679ffe27d5119fd3649/reports/4507eeea-5aeb-4c50-b2fe-e0994b0486c5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c2b9c041-f4e1-49eb-a559-f55fd0698c3e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978120

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5c2766ed1e7a6a04a9cca64a805af559185ed978769eb5c19f681207b933387/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-04-18 08:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wxbhm3wr46tkasu4zjskqbnpkwiyl3mxq5u6wxaz62asa64tgodq._file

Verdict:

malicious

RedLineStealer

452cb72cb4452aade319d85adfd058f86cce3bfa57338b773daa75084634e644

RedLineStealer

5b98e6a1bb630a07e164f1db3c5d1dda1624a33304f255b9b4b2baf15597b963

RedLineStealer

831977a3dbdd231b3bddfc7ee04d9d07426c3d4de8d88aba05f19cfcae8524d9

RedLineStealer

86d557bb62a720e7f83c1792f5687aa36c6165d7738103d9bbac684f1734d1ad

RedLineStealer

+ 2'805 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:55 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220418-kr6d6acdb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.204:23196

Unpacked files

SH256 hash:

c67c289373763e16e7682fbf9a4839bf8de10b685f7a9846ccb8b67f33171a0a

MD5 hash:

e02097a4c165647ba7bd2c201b5a8830

SHA1 hash:

a75b381c1963f88810e967b760f0e2bc7135958e

Link:

https://www.unpac.me/results/16c54d0a-f830-4afb-85e5-b6b2d4325fba/

SH256 hash:

2287db33252ae4235e31664519250ea8d11b161abd92d63ae7a974ee575054b9

MD5 hash:

8dacddc832cb25a71525a760178a2c89

SHA1 hash:

8396f55b2359eccd28baa734c1421ff148ef1911

Link:

https://www.unpac.me/results/16c54d0a-f830-4afb-85e5-b6b2d4325fba/

SH256 hash:

edad352914ca56e97be19e5781f57822b1c336342a517769a436139a60cedd0b

MD5 hash:

c4284ea12ef1e79054bea4e69ddab1dc

SHA1 hash:

72a53935631eaebd7a649ec586e13177990b9cf9

Link:

https://www.unpac.me/results/16c54d0a-f830-4afb-85e5-b6b2d4325fba/

SH256 hash:

b5c2766ed1e7a6a04a9cca64a805af559185ed978769eb5c19f681207b933387

MD5 hash:

9a3dfddd931eac9bda5f66a2249f6256

SHA1 hash:

7982388f1ed0118d9e456e30c515cbcf93bfdda7

Link:

https://www.unpac.me/results/16c54d0a-f830-4afb-85e5-b6b2d4325fba/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b5c2766ed1e7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5c2766ed1e7a6a04a9cca64a805af559185ed978769eb5c19f681207b933387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.