MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a
SHA3-384 hash: 0d593fab872e09bbd2b7e2e20c13314daa0c8f85359797a618383f16fdff30fc707f2448043eb36320bda7f0c5e76f06
SHA1 hash: b6f2b583d98deb3c4d737b50c2f6e8e2af7c808b
MD5 hash: 065be531fe6e3a1b091eaebb080d97f1
humanhash: washington-georgia-ink-dakota
File name:065be531fe6e3a1b091eaebb080d97f1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:426'496 bytes
First seen:2021-03-14 17:06:24 UTC
Last seen:2021-03-14 18:39:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a11b562aca09b56891404447b8058609 (1 x RedLineStealer)
ssdeep 6144:b2GjJeprZphzLr34e/MaaWg3D9oAPfC1zRO+UVEMN71U4KhfXkgYP:b2dprPJLr3R/AD9oAPf+1u0cgK
Threatray 904 similar samples on MalwareBazaar
TLSH B994BF21E7B1C034F4B302B559F596B8A9387E315B3894CB63C4379A1A386E6ED31B53
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://ynarliahel.xyz/

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
065be531fe6e3a1b091eaebb080d97f1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-14 17:07:36 UTC
Tags:
installer rat redline trojan phishing stealer
Link:
https://app.any.run/tasks/65a9f5f6-d257-41dc-b35c-2e351f3a62e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124215/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.62909.5799.21618.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/638910
Signature
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-13 22:47:59 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
111ce2db5048d86ce10d4156c62b15e34b6fee8dc11bb5ad5b70a0b086d56976
RedLineStealer
216ab21badb89b973736f1ccdc2d2842eac2ce03c437521baf198626c0a14238
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7
RedLineStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RedLineStealer
87e1e8b1fb643ea3665a8d6994bf5f7f9b48ce07218ef488d49f95142eac0eaa
RedLineStealer
9557feef95067f3447bd79cbfbb2910782b44f9a0ca579d2bc7e0877cb72dc48
RedLineStealer
ab22c95510080faac2e49e26359995096e891b1043fc9f62dbff27e166c98316
RedLineStealer
ad576450137bdc56a01b5615a41f0da3e3cad04b679a2590ea9b49150aba85a7
RedLineStealer
f16adb56474138575e8d9a5fac130beec5a2f5be95c34fe86c90614ab4ebdd8e
RedLineStealer
+ 894 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210314-2wpk4c4176/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Unpacked files
SH256 hash:
ee4477352627bacc9e71c302bbf5aa06ba9b6f7ad7a929e9b33c168da11c17c5
MD5 hash:
703fce3ba4ce249568edf99cca78d406
SHA1 hash:
d6445f9f5916fdfaf8d48f2f93285391e9eae053
Link:
https://www.unpac.me/results/a4c07ff0-6c1e-491e-ae67-2f8e0db06ec0/
SH256 hash:
67cd24c1042e79f36e9f3d4d0ad2ef39046228f5a0fb5b4934235f3cd334cc65
MD5 hash:
ac6f164c11b393a5bf112f1c560a3c29
SHA1 hash:
6bfca41c7d75132416efec52133549a52988b9d5
Link:
https://www.unpac.me/results/a4c07ff0-6c1e-491e-ae67-2f8e0db06ec0/
SH256 hash:
68e9c301a27a46b5f52ca88a44d87c502babb9ae7c28acf8623e1a75f4568562
MD5 hash:
c3b361fe0413dacd58e43b993b826c35
SHA1 hash:
52a335da2f1dd97a01a5f86533997b49b4298c9f
Link:
https://www.unpac.me/results/a4c07ff0-6c1e-491e-ae67-2f8e0db06ec0/
SH256 hash:
bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a
MD5 hash:
065be531fe6e3a1b091eaebb080d97f1
SHA1 hash:
b6f2b583d98deb3c4d737b50c2f6e8e2af7c808b
Link:
https://www.unpac.me/results/a4c07ff0-6c1e-491e-ae67-2f8e0db06ec0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1056715/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124215/

Comments