MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591
SHA3-384 hash: ca420ad56ac6e5cf64c3b624f98c866afbdb39ec182e37eba633888d74aedb3f4b4c4ce6b4526d28544be5636b8fc683
SHA1 hash: 686660eb4a333de3248ef6cf3f45e2f650a0df98
MD5 hash: 4ef2b9fe0c5fe214e301946e491416f0
humanhash: alpha-missouri-march-enemy
File name:4ef2b9fe0c5fe214e301946e491416f0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:331'776 bytes
First seen:2021-09-07 10:33:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 268bba94d92d1a87745080c74278035a (3 x RaccoonStealer, 3 x Stop, 2 x ArkeiStealer)
ssdeep 6144:HIeXS8gyH0PNocUkO8cNmPB906HBPSia16pzjdRQCWzz8:HFCEO6g7dhPSd6pzj05zz
Threatray 2'272 similar samples on MalwareBazaar
TLSH T1C664EF1D775CCC21C5D7DD304975F6A40A75B8212963C2AF6FA0267EBEF06A2863231E
dhash icon b27a7c7d727e6e76 (9 x RaccoonStealer, 1 x RedLineStealer, 1 x AZORult)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ef2b9fe0c5fe214e301946e491416f0
Verdict:
Malicious activity
Analysis date:
2021-09-07 10:33:56 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/276a2670-f49f-4fe3-a350-335f4fa29d79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185998/
Detection(s):
Win.Malware.Babar-9891171-0
Create hunting rule

Win.Malware.Jaik-9891192-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Sending a UDP request
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bd26743-1cc0-4495-973e-cf6c0f71cba3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/846508
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 22:38:14 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxtq3pap45mvmq5m5pewybame6jhbuztxhh74ck2hwdaff7pgwiq._file
Verdict:
malicious
Similar samples:
069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4
RedLineStealer
5b92a06e1a204842d4464554a88c12b02b1de728c22e6509e87ea59d1a2ae8eb
RedLineStealer
5d7e056cab62d45da796272f782b92fdba8c38827e678fa1273c0ccb71aa6d83
RedLineStealer
cc1b3e18520c1f5ae7040cbfd2d74c9d3e5c3c47aa01d44d1037fffcbff96564
RedLineStealer
d319ddd3d52abce88199f3b7d1385bb3258290139b8b05a1ef2b672af8da2fba
RedLineStealer
e463abd6719107c76861a49c45e46f7183f0038264f2e31f328bf4eb3554c8a5
RedLineStealer
+ 2'262 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix07.09 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210907-ml6tvacdb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
aaf4ef7e6468f09fddb7273749f859bd19076f19ddd4eb5265b0000010452db8
MD5 hash:
3c3102625226449c57fe56dab95ee4ff
SHA1 hash:
a655fd01a47623c9af5739f7a6cef6589cc690e7
Link:
https://www.unpac.me/results/e21f639e-d0d9-4000-9d04-9a84aa411b72/
SH256 hash:
ef889ec575c2dab8008521a2d2266f430a48289e6e96029b22797ef2bf19d434
MD5 hash:
403d7ae74f5a8b7aa6cd06cf911158e8
SHA1 hash:
9dfa1d9290adb88892593bcbfb136ba331b06070
Link:
https://www.unpac.me/results/e21f639e-d0d9-4000-9d04-9a84aa411b72/
SH256 hash:
1acf9842777aaa67cb4066e60e885191db0dc096271664a839003489eee9d5c4
MD5 hash:
8a26a1455f033ed1adf85100e03f665c
SHA1 hash:
54779427507ba52866153b771ccc317ca642924e
Link:
https://www.unpac.me/results/e21f639e-d0d9-4000-9d04-9a84aa411b72/
SH256 hash:
b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591
MD5 hash:
4ef2b9fe0c5fe214e301946e491416f0
SHA1 hash:
686660eb4a333de3248ef6cf3f45e2f650a0df98
Link:
https://www.unpac.me/results/e21f639e-d0d9-4000-9d04-9a84aa411b72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b5e70dbc0fe7595643acebc96c040c279270d333b9cffe095a3d860297ef3591

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1599352/
Cape
Cape
https://www.capesandbox.com/analysis/185998/

Comments