MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd70cbdaa0661ec1d8abbe194a928e2ef1fde6d47dc32ca705aa306b5c7197ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 8 File information Comments

SHA256 hash:	bd70cbdaa0661ec1d8abbe194a928e2ef1fde6d47dc32ca705aa306b5c7197ca
SHA3-384 hash:	c7d70f94d115a2ed561f0d2c3ef487f9c291a7aefe4a074c4eb12f594a8898b80ef1e578e0a3ae11d08b06e198f66b32
SHA1 hash:	38e17eb99925e9554578c0fa201840f49ef2b43c
MD5 hash:	0f63a1200f5bbec0624b86ff2b6e3e51
humanhash:	sierra-paris-asparagus-mars
File name:	0f63a1200f5bbec0624b86ff2b6e3e51.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'271'296 bytes
First seen:	2021-08-18 19:56:04 UTC
Last seen:	2021-08-18 20:56:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:/+YpJdDgNa/gRPyL64+cM30XcbxQHIZjhT6wAwnIUnJmqsXXj:nJDgILO449xwUjhT6vyIym
Threatray	1'884 similar samples on MalwareBazaar
TLSH	T1EB45E143F640D541E03A4776C8EB442067FCBC27B6B5EA19BDD933A509B23624C6B9CE
dhash icon	00888080a2b09280 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
149.28.252.135:26948

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
149.28.252.135:26948	https://threatfox.abuse.ch/ioc/192169/

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0f63a1200f5bbec0624b86ff2b6e3e51.exe

Verdict:

Malicious activity

Analysis date:

2021-08-18 19:59:14 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/8d0a4a0f-f0ba-40b5-816c-3572765cf26f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/180444/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.4741.30565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95803352-f78a-4861-9edc-702d1fecff83

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835354

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd70cbdaa0661ec1d8abbe194a928e2ef1fde6d47dc32ca705aa306b5c7197ca/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-08-18 19:57:07 UTC

AV detection:

10 of 27 (37.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvymxwvamypmdwflxymuveuof3y73zwupxbszjyfviygwxdrs7fa._file

Verdict:

malicious

RedLineStealer

1b22cede73b15157e4e5555e8729d6203f563e73943033e26e1082f27576a7b2

RedLineStealer

21c9d551916ce07bc434b9f1dfa8aaa4cd47c2746a0ece6f8ea1f2b61083d168

RedLineStealer

24e73e485857368cf7ec4e1b44b5d9cf86a16fbb8eafd89626b47703256db22d

RedLineStealer

3686ddb8d635e49a9b4e396973aeca3f385a009e3f0265b6679db215776e2c58

RedLineStealer

5e93e8c7f6ba5a59e14d6c4fc47eaf264872e25b424e59924ff3b216f62ab6af

RedLineStealer

8d46b6ae4ba66360d4bc8be70090cba933a62d31bcabcdc40f86de26eda98160

RedLineStealer

ad5d4e214bf6c1bdeaa55653c66aa2416e33d49f8f17104ebcf7108365ec4419

RedLineStealer

db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874

RedLineStealer

+ 1'874 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@original_finest discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210818-vgtafnksy6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

149.28.252.135:26948

Unpacked files

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/c629733b-b18c-4117-b715-110ed5a59aea/

SH256 hash:

5ef5072bbba36eee6d9d030f14b7cc5d6b3148cb91bafede1384e0bbb7af3e01

MD5 hash:

425bdb8ea8162a1581399eaffa282c24

SHA1 hash:

e599257c830fe74112b49b7b4ffce93e08c2438d

Link:

https://www.unpac.me/results/c629733b-b18c-4117-b715-110ed5a59aea/

SH256 hash:

437213830a614c93195269f9186d152bfe2897b94234e5b0b70290eca589848e

MD5 hash:

2f02ccaaa76d5be40bc6395943b9731b

SHA1 hash:

d15d167bc633ea6afa8b134a7360100d641345ee

Link:

https://www.unpac.me/results/c629733b-b18c-4117-b715-110ed5a59aea/

SH256 hash:

1582157177d12098993715ff7ebe9dd235ec32f3c07da1a922c00f5f677526b0

MD5 hash:

3a42ded492f22c76b974a5ee09c56746

SHA1 hash:

947ebedfc80b14b12c1b7092a94de051eec34892

Link:

https://www.unpac.me/results/c629733b-b18c-4117-b715-110ed5a59aea/

SH256 hash:

bd70cbdaa0661ec1d8abbe194a928e2ef1fde6d47dc32ca705aa306b5c7197ca

MD5 hash:

0f63a1200f5bbec0624b86ff2b6e3e51

SHA1 hash:

38e17eb99925e9554578c0fa201840f49ef2b43c

Link:

https://www.unpac.me/results/c629733b-b18c-4117-b715-110ed5a59aea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/bd70cbdaa0661ec1d8abbe194a928e2ef1fde6d47dc32ca705aa306b5c7197ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)