MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45
SHA3-384 hash:	1dcef0da69a83ce4f8bfacef87ea8e8a3cee35510df4c6d552557c87cc6762948a8616c6aeb4a80bc2d2d786216d95f1
SHA1 hash:	16c2dd20b7d47c279bb6ef46b6c1ffd5808414a0
MD5 hash:	03740d06f5bd445c13cf670ed84296a6
humanhash:	early-sodium-maine-william
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	438'272 bytes
First seen:	2022-10-20 19:45:46 UTC
Last seen:	2022-10-21 04:23:18 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:FH5sXKbcTSqPYcpcHkPHdug051FL2rBwmFiGkz2Xdd33Sh1Csh9K6IjfAThCwXqu:bsXKlqPYc+gc1FIwmMjzQaCsLTRXaES
Threatray	506 similar samples on MalwareBazaar
TLSH	T117946C8040E3697DD86EB2B8BF4E34E266BF52CB8B676374D596258E648C205D1C1F0F
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc32384019_646181380?hash=TvdmLOj8B7zzGiuMwFXRC93TtJSx82IEZbhqsZpYlEg&dl=GMZDGOBUGAYTS:1666285773:rKP48XhDVTph8EdOJGGoEmZdYAGc3td9RNv91JErlbD&api=1&no_preview=1#101401

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-10-20 19:48:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/feb0f3a7-25b3-420c-8bca-b6fe3b19c566

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322125/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Reading critical registry keys

Creating a window

Creating a file in the system32 subdirectories

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6351a57da67b0a5ed57a88fe/reports/b0dde777-b5db-4ca5-8538-a5fb2622e5de/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ada61ace-4f32-42ce-b783-76d8d3f474d0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1094453

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45/

Threat name:

ByteCode-MSIL.Infostealer.Tedy

Status:

Malicious

First seen:

2022-10-20 20:20:57 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 42 (30.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyj7bcqamppfjzxotnwtx2z23e6bz7vso4ye3z2jcmqso3k53rcq._file

Verdict:

malicious

RedLineStealer

6b7204b9938cdc7e24b589faac4e12ed848c7121269899614b38bc95784845b9

RedLineStealer

7157ea22835284e4b38c05ac415ead575656efa2389f74dcfbb8ab910031427c

RedLineStealer

9316de8b3697c6a6f1fba5bc0b653cfb6202aa7429b5d203523a9768e9a772e9

RedLineStealer

a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574

RedLineStealer

b13bc9c14764fa971ad6e5f0d4583ed0a25b4ffd7a426a2b7e28567f78c4d165

RedLineStealer

bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408

RedLineStealer

ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0

RedLineStealer

+ 496 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lx1809 infostealer spyware

Link:

https://tria.ge/reports/221020-ygys8acba8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

77.73.134.2:4427

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/90a54479-00ce-462d-adeb-56e07035b830

Unpacked files

SH256 hash:

b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45

MD5 hash:

03740d06f5bd445c13cf670ed84296a6

SHA1 hash:

16c2dd20b7d47c279bb6ef46b6c1ffd5808414a0

Link:

https://www.unpac.me/results/21cc458e-81f2-4d34-b6ea-d5067b7b84e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/322125/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample