MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd6d971e1e2c23e4d3b9632bc6d3b2f27732c02f25e63d6f7445493d3959504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	bcd6d971e1e2c23e4d3b9632bc6d3b2f27732c02f25e63d6f7445493d3959504
SHA3-384 hash:	195174ff36926bc292791bc9c3283e19dffcb2bb38ea340d5f9b419db4d1688c6ef8bd3721979840476eae9e2c8f55b4
SHA1 hash:	f33d5113f99dcb732b81b22f164847ef066eff02
MD5 hash:	190929b5f8971b8e1cc94a441908dac3
humanhash:	eleven-blossom-india-oklahoma
File name:	190929b5f8971b8e1cc94a441908dac3
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	314'880 bytes
First seen:	2022-06-09 16:58:00 UTC
Last seen:	2022-06-09 17:39:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e82a6599dfbacb956664113cd0d6a9ce (4 x Amadey, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:ZYhV9cM3h1jrEGJW6UIyrwMQE4/Tchnp6YrP9XE:ZYhV2M37jrEGJLyrRQEscjxr1XE
Threatray	6'832 similar samples on MalwareBazaar
TLSH	T1DF64F120B7F9C932E1B3553058B0D212693B7813663589CF6B68077A2FB17C227B975B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

190929b5f8971b8e1cc94a441908dac3

Verdict:

Malicious activity

Analysis date:

2022-06-09 17:03:59 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/22919846-bda1-42d4-9bf7-ecf9be4f4adc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/278444/

Detection(s):

SecuriteInfo.com.Variant.Mikey.138304.3710.29883.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed ransomware

Link:

https://www.filescan.io/uploads/62a226b6e22d00d5e196cfab/reports/f22d8065-3a7e-4613-8292-2e6e1df41b6d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4e17ce9-0dfe-4efe-9f12-2b93407bb0a0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010226

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bcd6d971e1e2c23e4d3b9632bc6d3b2f27732c02f25e63d6f7445493d3959504/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-09 12:50:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xtlns4pb4lbd4tj3syzly3j3f4txglac6jpghvxxirkjhu4vsuca._file

Verdict:

malicious

RedLineStealer

5b1556fc720ead9f3505bbffa66fb38c1bd724fed4d09530a33e4b12cd300904

RedLineStealer

5fd46b0d3207b06f1575d40854fc514235485cc242428f07d6b06b9b3081112f

RedLineStealer

627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef

RedLineStealer

659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767

RedLineStealer

a61d991d01857b94696c896e5f0a9b5a5537d7f7bdfa342551f88fc6c865d3ad

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

beea56a23dafd425aa57b3b05cd4d44c7615633292b20fb9bb22e08469fa6634

RedLineStealer

+ 6'822 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lyla3 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220609-vgtbysabhq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.201:21921

Unpacked files

SH256 hash:

d228744910307bc1c2ec2c2c4a63a3d8a61c50027958eb7fb5f0c5d9134eec49

MD5 hash:

f166058ceda371991b6d2637c9fb750d

SHA1 hash:

f8a98ca98ab7ce16db31cbe48c0c75c781c6282a

Link:

https://www.unpac.me/results/6ab9c3e4-7717-4df8-b9bb-6e7bf21cb346/

SH256 hash:

60ce572f227d15d9c7cd9abf5f8af378b9471d19d80e3384614d768b7c499f96

MD5 hash:

44ada9580c7cf4e11e2e87b143484274

SHA1 hash:

ecb6ff2041e98c765ec33be27146c126f594f1d5

Link:

https://www.unpac.me/results/6ab9c3e4-7717-4df8-b9bb-6e7bf21cb346/

SH256 hash:

dbfef0db6356ab72cdd884fafa642ab37451adbaab3c88cf745974f684354805

MD5 hash:

9fbe48a12155ca60c5ca35d0ec4469bc

SHA1 hash:

2931c209a6743a6ab1eb865a65aa8262d8b24500

Link:

https://www.unpac.me/results/6ab9c3e4-7717-4df8-b9bb-6e7bf21cb346/

SH256 hash:

bcd6d971e1e2c23e4d3b9632bc6d3b2f27732c02f25e63d6f7445493d3959504

MD5 hash:

190929b5f8971b8e1cc94a441908dac3

SHA1 hash:

f33d5113f99dcb732b81b22f164847ef066eff02

Link:

https://www.unpac.me/results/6ab9c3e4-7717-4df8-b9bb-6e7bf21cb346/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bcd6d971e1e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bcd6d971e1e2c23e4d3b9632bc6d3b2f27732c02f25e63d6f7445493d3959504

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.