MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809
SHA3-384 hash: 965faa4a589d486816a7b7e7c130f0f592a2d4c459c1ec4457ae5c5affc641efc077bf6b5449e7d93e368bd05cbbb828
SHA1 hash: aee67b073576f0374c28e185b583674b43ce2ca3
MD5 hash: c48014f19e07dc7be56f5b40c0f33e80
humanhash: fourteen-september-kitten-lake
File name:c48014f19e07dc7be56f5b40c0f33e80.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:105'472 bytes
First seen:2022-03-03 10:40:58 UTC
Last seen:2022-03-20 05:27:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:bucUJyKCNYi0T6OpfyIG8zrXv3+JkRL4UOa:bucMX9HfuR
Threatray 4'617 similar samples on MalwareBazaar
TLSH T1D3A34BA167CD8624E2FF4F706CB8119443F4E043A502DB8F5DC960DA1F76B90EA667B2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.103.86.106:35733

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.103.86.106:35733 https://threatfox.abuse.ch/ioc/392268/

Intelligence

File Origin
# of uploads :
3
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246944/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.32133.32497.14591.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6099db5b-f88a-42d8-ab5b-a923d50668a7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950004
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-02-18 07:56:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5rmkedaas7zna55m2fyadhsnrxtfx5oqnz2qb2yg63rq3w2baeq._file
Verdict:
malicious
Similar samples:
013d7d2e73fdd28f0af0b3e5a057461d6041b0a13f487802a181d8378cbbae3b
RedLineStealer
1ddbe4b8bd2199ba2b52ddae006365a191e380b52196ad950018f53db5ea5c0c
RedLineStealer
b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457
RedLineStealer
b6cb082a4eea02dc5da3037d71abd3a8fa0f475200fe75adadb12d791a133457
RedLineStealer
bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8
RedLineStealer
cd3c72abed935a7b83c5dc1cdb1383922e42ab145b2cf0206d5f0d1aa6382f37
RedLineStealer
e67b5e1f2fb6ab615e07315e4c5db283039258b1ba7d8214a43bd43db26d6b99
RedLineStealer
+ 4'607 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:two discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220303-mq4kaaaee2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
94.103.86.106:35733
Unpacked files
SH256 hash:
b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809
MD5 hash:
c48014f19e07dc7be56f5b40c0f33e80
SHA1 hash:
aee67b073576f0374c28e185b583674b43ce2ca3
Link:
https://www.unpac.me/results/2262ad1b-2e2d-4d67-bebd-da929ee1313a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b762c5106004bf9683bd668b800cf26c6f32dfae8373a8075837b7186eda0809

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072562/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246944/

Comments