MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 5 File information Comments

SHA256 hash:	bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b
SHA3-384 hash:	9b8d0f0b8fb781768e6097e481df0588acb7e0c7239368743ff46ffd8a35ae10fe3c7f85f69bf6e5f4b9998eab0e89b5
SHA1 hash:	455185222f7e8b6e3cd0f4f287d880a978907bc8
MD5 hash:	babfb38c74366e690fc07396c3bb772d
humanhash:	ack-king-thirteen-finch
File name:	babfb38c74366e690fc07396c3bb772d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'897'908 bytes
First seen:	2022-03-12 13:06:06 UTC
Last seen:	2022-03-12 14:35:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	49152:tus1En9Lj6xyhgyyR95nTJr3356nhLxcjP0ORxFn0zi2Occ:tuJ9H/yNTJT35ehtcjPTF0JOn
Threatray	4'773 similar samples on MalwareBazaar
TLSH	T19A95331F06A890E6F60943362F397F673796B00258C29B1F9BE63F4D5A19CE8D2C1716
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.129.97.223:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.129.97.223:80	https://threatfox.abuse.ch/ioc/394390/

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249820/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.20594.29040.5466.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Query of malicious DNS domain

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8997/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult control.exe overlay packed python redline shell32.dll

Link:

https://www.filescan.io/uploads/622c9afa0cd58dbd92865156/reports/3b7ae727-560e-4f04-92e9-d0bb247e4159/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce8f0d78-bbbf-4b95-bd54-2db405c22806

Result

Threat name:

RedLine Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955456

Signature

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected RedLine Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-03-09 03:11:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 42 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xplvr432533kk6jhysdcq3dni4szahwlhgoktmtkbietnjnraufq._file

Verdict:

malicious

RedLineStealer

0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d

RedLineStealer

0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f

RedLineStealer

104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb

RedLineStealer

82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819

RedLineStealer

83a0838ce422cf0354914df7efde5aeadb19cbc84ee315725de96237df2a36aa

RedLineStealer

b9b38b6fc352f4c3753aede91685065a79737687194bd12a9ae785a93855c3dc

RedLineStealer

e347cd6db9c802638a546510c858928f9e69325d092c937ef3f33497d7d8c844

RedLineStealer

+ 4'763 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:vidar botnet:977 botnet:jamienew discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220312-qcmw6afefr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Vidar Stealer

RedLine

RedLine Payload

Vidar

Malware Config

C2 Extraction:

rtrkolada.xyz:80
https://c.im/@sam3al
https://mas.to/@s4msalo

Unpacked files

SH256 hash:

41929f3a8e56f760e247b251f07477f8a01388d1c7cdf28bd3592b66e76c80c3

MD5 hash:

051fe1b243f8892509836fa6dc0a82c4

SHA1 hash:

6cfddfb20805cbad82e217a70121523f11583a68

Link:

https://www.unpac.me/results/24c10499-0f13-44e7-a61d-4a5759bd0a59/

SH256 hash:

eb87885ee2172f1c2ac3ebd75178176619d926d37672abd00fb5f68cad8b6734

MD5 hash:

d155c95dbab0042a41c7b036c8efcb6c

SHA1 hash:

8eb5d6b4368db55358c014fdd9f0c6e8f48a1742

Link:

https://www.unpac.me/results/24c10499-0f13-44e7-a61d-4a5759bd0a59/

SH256 hash:

bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b

MD5 hash:

babfb38c74366e690fc07396c3bb772d

SHA1 hash:

455185222f7e8b6e3cd0f4f287d880a978907bc8

Link:

https://www.unpac.me/results/24c10499-0f13-44e7-a61d-4a5759bd0a59/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bbd758f37aee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249820/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample