MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7
SHA3-384 hash:	33762cdfb1554b1c215a12d6b8f2a7cc3c4a26f330a9a7d50bd481ae3a5e20359cbbca1cc3cb5ad3c35d3615985392c1
SHA1 hash:	8af5631f50be07af3d5bad94215a0cf84332e996
MD5 hash:	f6c40ad4d156b64ee09e4819612de135
humanhash:	cold-sad-muppet-stairway
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	426'496 bytes
First seen:	2022-12-11 15:38:56 UTC
Last seen:	2022-12-11 17:32:38 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:gAtqdI0HYvotp3QwJ72Ka7rlqBOOz+f9gLr:gAt+I0H1Z7+0BOOz+f9K
Threatray	791 similar samples on MalwareBazaar
TLSH	T17794BF7F0166D7E1E6B9AD7CD6E8D3F00A02983F29160915286117867127E9FF81CBBC
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	b148646472592d92 (2 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc768860070_650629462?hash=QqB9jv6wOdjoi3QKSHVNu8dG1AqtDVmYmofkCs4ZgbE&dl=G43DQOBWGAYDOMA:1670770470:PKnaokfPQq1l4M5m36ZFMhdeMkplkgHkc2ot8PGGFOo&api=1&no_preview=1#777_1410

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/345222/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.13680.5789.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6395f99804e0e79bdf423e5a/reports/a28ba799-f861-4a17-8708-abaa0302b950/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/91ef6ad6-06c0-4f6c-b086-5da50a0f8fc6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1132256

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7/

Threat name:

Win64.Trojan.Pwsx

Status:

Malicious

First seen:

2022-12-11 15:39:07 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

9 of 26 (34.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xjroh7ngg4bhzlubs2zf6ybiujad5i56kzwz4uylqp5gtnivv7dq._file

Verdict:

malicious

RedLineStealer

3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

RedLineStealer

473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d

RedLineStealer

4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd

RedLineStealer

66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224

RedLineStealer

81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

RedLineStealer

af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2

RedLineStealer

c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44

RedLineStealer

e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3

RedLineStealer

fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea

RedLineStealer

+ 781 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:special private infostealer spyware

Link:

https://tria.ge/reports/221211-s3l4naha69/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

151.80.89.227:45878

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/232c4bc5-5476-4482-b974-2b4dabfc0b0c

Unpacked files

SH256 hash:

ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7

MD5 hash:

f6c40ad4d156b64ee09e4819612de135

SHA1 hash:

8af5631f50be07af3d5bad94215a0cf84332e996

Link:

https://www.unpac.me/results/9ca6e49a-0773-438b-a708-2a88c8c57809/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ba62e3fda637/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/345222/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample