MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f2f7a7dabfc8aa1625fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f2f7a7dabfc8aa1625fd
SHA3-384 hash: e730554c235cb44832b294257e94af246e5b26f71a2055581a60b6f0b2238ee2c401f9fe3b25b45fa631bf1c6a463c25
SHA1 hash: da34e4df6a08ca2342c074959389e05894cb2bab
MD5 hash: 91a4c9febdf073c77f431a14782a4491
humanhash: yankee-low-tennis-jupiter
File name:bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:377'344 bytes
First seen:2022-03-16 22:46:23 UTC
Last seen:2022-03-17 00:50:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66b9fd20d1e8b115e5f4733f6821c555 (1 x RedLineStealer)
ssdeep 6144:z0LVFTLMk4kqUXTl3A3woa+/PHnT3eCvuYzuZFHWp+9l2JX:zAFT4iHWCGPHT3et+uZF2Q9
Threatray 4'845 similar samples on MalwareBazaar
TLSH T15E84F11279A0C036C156A4746C68C272BA7FF4725879C90BB7985B294F223D7FBB9307
File icon (PE):PE icon
dhash icon 30f048e4d0d0ccc4 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.196:44310

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.196:44310 https://threatfox.abuse.ch/ioc/395881/

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f.exe
Verdict:
Malicious activity
Analysis date:
2022-03-16 23:14:18 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0a708004-a2ac-48e5-b5c8-2536f621878a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251678/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.24673.10689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9498/overview
Behaviour
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/623268e9b94fb38cb4929543/reports/c401cf5b-f5a1-4346-8921-9b1a282f3e21/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88b311c3-8781-47c9-96a0-6f08b31808be
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/958391
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f2f7a7dabfc8aa1625fd/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-16 22:47:11 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
14 of 27 (51.85%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxhdmo2j6wpkbtowqqnkmocmffjvhspgf7m7f55h3k74rkqwex6q._file
Verdict:
malicious
Similar samples:
20dc6e65625512bceeed56e1754a96608ad8eb6e5648ec995a2a6fe6c2f6689f
RedLineStealer
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
RedLineStealer
987651f9f7dbdae2eb283db2328f4daf4970bd487bbaf5e3892cb980305a24f5
RedLineStealer
a2dc306a73dfb3bed10e60bdfbf47c9103c41ddf74343ee49011c91bd6adc0ce
RedLineStealer
c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679
RedLineStealer
da551b8982f8cb67c55108b405be9ca5e5deb1f2f716adc85d0260d37e74373a
RedLineStealer
+ 4'835 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220316-2qhp5sfchn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1aa17d0b9a4d2596f66bb9caddf9c2748435aeb5efff259dffb420c77e489c4a
MD5 hash:
5d1e12307f85302e72d56d5a1cbfaa8b
SHA1 hash:
df44dc610c3d6c151b2002e4974e7b8c66262da1
Link:
https://www.unpac.me/results/e2df452f-74b3-4164-a20f-9cf78ea579df/
SH256 hash:
9075ef7c86e29bd9d3540b85bacc549eb69cbe8eeecac5ad09b810f78a591eef
MD5 hash:
59eba583edcbe583a6b4b6ed0b72041c
SHA1 hash:
d270341630222d7416bdcdc946c1c66fe1348070
Link:
https://www.unpac.me/results/e2df452f-74b3-4164-a20f-9cf78ea579df/
SH256 hash:
229f2ec3621edb2a34e0bb7e9b668312bf1a68ff4f8effbeb5d0bd229c1a458e
MD5 hash:
aa7f34d35eef154e5b3a1d08770c2c79
SHA1 hash:
6b2243b283123759c2a4eaaabbdab0b50af08659
Link:
https://www.unpac.me/results/e2df452f-74b3-4164-a20f-9cf78ea579df/
SH256 hash:
bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f2f7a7dabfc8aa1625fd
MD5 hash:
91a4c9febdf073c77f431a14782a4491
SHA1 hash:
da34e4df6a08ca2342c074959389e05894cb2bab
Link:
https://www.unpac.me/results/e2df452f-74b3-4164-a20f-9cf78ea579df/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bdce363b49f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdce363b49f59ea0cdd6841aa6384c295353c9e62fd9f2f7a7dabfc8aa1625fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251678/

Comments