MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9
SHA3-384 hash:	7eb70df50ce16c0bcbca2f59b8e8714c40e67094cb0ef54060d7e35bc158c9005bfd7607f692856079772a8e787996ea
SHA1 hash:	094db35b16c7fe57226247c1989060c2a398c98c
MD5 hash:	ebbbe6540d02161aa80d5ed88fca6c91
humanhash:	purple-mexico-mississippi-alabama
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	355'840 bytes
First seen:	2022-11-07 19:08:46 UTC
Last seen:	2022-11-07 22:12:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a07bb4b81e6c6d0f72670722ee7e56 (20 x RedLineStealer)
ssdeep	6144:qXf1As+QF7IHKOkGbuUT4+JBVfUAOOJYJfPfc+freo5JSjZY857V+1:qXf1ATQF7IHKOcAknL5z8+1
Threatray	1'141 similar samples on MalwareBazaar
TLSH	T10574CF40B5D3DA72D9B2543A09E0DB75897DB8100F7099FF67E4076B4E202C3A9B297A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-07 19:09:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5324bf2a-1c24-41cb-88f3-fc81ece65548

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330176/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.3544.23412.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/636957cf6e7eadfa70c4efcc/reports/3556b817-1d16-4f57-ab35-13ca86ebc96d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d09b016-7e30-46fa-94eb-9f76b885a7ce

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107594

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-07 19:09:08 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyx7qkia4bdvwpibcmkujmcjb4zcaoi3v6hiufxtro5sdp7viduq._file

Verdict:

malicious

RedLineStealer

40bf6081aba422e4a8e6f7c28e37862db5a55a9b2f7fc91b0dfc338a8c118b61

RedLineStealer

952216dada85a4a0eff47329775a3c3451b1e3792e9487e29daa4183278ce1a9

RedLineStealer

97ab011fe58e16d30e5c7cc80f3a4adee69950377687335fd30d1790e77059ec

RedLineStealer

cc285423b687fee9ac81af7fe2e1c44edb440f2d141bd06f587562bbecdcf4c8

RedLineStealer

e0a8b7625ae37474dec9abd9ca3bcce1579ad5298d73e3bf6216fe6c301a21f7

RedLineStealer

+ 1'131 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:711 infostealer spyware

Link:

https://tria.ge/reports/221107-xtr1rsdde6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.110.203.100:32796

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2cb25d3b-b164-4cbf-bbec-056af82a169d

Unpacked files

SH256 hash:

88334ae07e902a8cbd8fdfddb1be2493b9a2e7754830c98bc25b6859fdcdd9c2

MD5 hash:

2dbb1ab212ce945988257402c05cfb22

SHA1 hash:

74ee4c805abb738237d3483aba2e12f557c024d2

Detections:

redline

Link:

https://www.unpac.me/results/2010fa7d-1f4f-48e5-8686-816856ca0643/

Parent samples :

97ab011fe58e16d30e5c7cc80f3a4adee69950377687335fd30d1790e77059ec
0963fbef40580e4a7c86ddc565e3da9914f9b25cd766c77a8eb643f2e31ecdd2
952216dada85a4a0eff47329775a3c3451b1e3792e9487e29daa4183278ce1a9
983b19f3d65f37400eeb404fd838e322041fc26335ed14e08d29addbb87fcea9
b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9
9e89671147cce3ae5c06f3da350ea7aced6920699671a2ff4ef53e927822fc10
2a7fde2d5e04218d4016d13fa582a2e807b0f897af3d062e311292b60ed67ef4
3cbc577b52a38d9a1bb470d92d6cad6add4a708a0b0c2e59b15609cd886892bc
f7e5f54f191a24a82817b043e7e69e2d4e5206deba503de68a1d163b08d0ee8e
ed35767943ef69bcbd2eb91c73871c68443f0381c5500d5229c762aa36820b72
a27a4cb4753d32b655f0d5be08e2f66b543c6751572f809c7dbb544ea26a08bc
8767e850b125d173413968d478e9b9ea0e20507712198a39a9b28bd507f2a8ed
4de10f8f099bf7700296a52b1dfb7fcea42e8cbe6b2f51a95eab52111dc3d443
7c7ef3f46de87a8860135fa7c22dee76fc34303c0f5bb0e05a128d83b06c70ce
9a27c02eb672606161359aa7e306c2790b372ffe4e38a058d58e9576d3f47d37
ddaf59dadef1986e418ad40fb95573ef73b4fcf30a74594c3c74f7b9b98c2bbb
3fb6eda3a04cc1c6deb61aa659ab69d98830418668bd10c57380d39d980fe008
0bd04d88d81fa9df94fbf34ccb7f717b3511add8c84f575c6d71db296205d958
d8668a7497663fe4dafbe879a0540d39c566f1826af34131213afbf025bd14e6
83699d2332140ed6474583d39943683b9cd5e0925d87e82382459155bdf47265
7f21b52f9b3a9efc07593303f785cf6d5d120b6d735ca1a27314412cb02aa343
4b721104097cc9a9f5bad2809b3830c48a3dc6f5a3db9c0f57277d1603341d00
fede64298de9d89c6ad2b422291b7fa0073771373d46324d4ca8c1ef826ea830
e951410795a6006c98df0cbc171f3d39732508129cc255fe47ce68bf8c6ed019
b92d7fba76d46c4481b6b6dbcfcd6044eb347edb6900f2efa14dca64983801a0
2e4e268f4c49ab98cd0c5679e264f6a47458a389c0f0cc97f2a04371afbd3fb2
62e1b22322a101fa8397d7ffc116329e02fcdf5bae12acddcd14fea4a9fe285d
6f970bad551b51c8d74d632dc1fc3fd3e9bac02ccd10abfb4f4169f04b7b9325
ece64265121d38d99e3756e30e00324f90fe9dfa5c0c15c3b5c6960ad69f7415
97fcce5d93aac9536f841897d0bafaf4d887c231ce49bdd097caec607fd5fec7
a15d29daeff47e9bd372dbad43369651acba9c6e426f3803d60bfe1e3064374e
bb53ecf995c9dd9aff1dabffc9362f3847ebe7e2b5d285e0183733f23f897c3c
9aae22b5251857b72785020a3d7eaa1b1c2aaf342f28bd0d3807fa8ebe319318
35eb46a742715dfba308bcb5670f6108e9da9deab9c5704f4cba6d8fbee5ee2b
b79f9fca42fabcdbb5752c7844739d518335905e51e2361554a72da01f2d6fb3
f70b16b0ceea077058ba86549ad36ba307a6a02469672aa3c3e63fb31378a81a
dd4be3093013e1a6b425a449daa9ae6cc6283f9b160208f54262dd98d7adb308
5046936da9c9014fc4c1b6ef5d16a997d3070fa0a2b48e2077276b8db2eb6fd8
e6d302a4849a5b211fb5351a4ed83bb2c337ad21bc78dbc7fe64482eea22edd6
5bb88e08c1a08871a99adce0f3ae6f34c855c460f0ac77437cb4c73235824ab7
1c31d1c204f83157f5d5d139ff0d6ddcdc59d971c344f7a0b59306b862464db1
b00f23178ba7ef4c213996f96a81b73f1654087a6f8c3c1dbab625caaeeb9ec3
ca861db2eee550e11870862c9ab61ff0d7a357311624608a2599216c05e0d58e

SH256 hash:

b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9

MD5 hash:

ebbbe6540d02161aa80d5ed88fca6c91

SHA1 hash:

094db35b16c7fe57226247c1989060c2a398c98c

Link:

https://www.unpac.me/results/2010fa7d-1f4f-48e5-8686-816856ca0643/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b62ff82900e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b62ff82900e0475b3d01131544b0490f3220391baf8e8a16f38bbb21bff540e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/330176/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample