MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39baf2c34ebfc49b158cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39baf2c34ebfc49b158cf
SHA3-384 hash:	a64785227b008e177130df370b0c9f84f558835258e0b6087beb4797098e7ace971ec19676d47d45de5a851fe4c6a0b2
SHA1 hash:	987fa2dec584d70da3c12f78ac777ca571261131
MD5 hash:	897fdc53ce5f26017c224ccab9001e74
humanhash:	tennis-dakota-sink-hydrogen
File name:	be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'207'176 bytes
First seen:	2022-01-25 17:06:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1f273e55d954a3cd6ab7388915a0485 (3 x Neurevt, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	49152:8zOJB5ZJBK7/stk6SY6stAHzUfj7a3MTP4dUQD69CudgD35GoW8rHZz3r9dT:8KBtKzatHa43Qe9C+i35Go/rvT
Threatray	745 similar samples on MalwareBazaar
TLSH	T1E1369F237389613EC46B1976853BD6689C3F7F627922CC4B7BF4694C8F351406A3A60B
File icon (PE):
dhash icon	f8f89c969392ece4 (3 x RedLineStealer, 2 x Formbook, 1 x FickerStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.107:1433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.107:1433	https://threatfox.abuse.ch/ioc/328443/

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b921d63f6ae85b6d2d3fa919c58fd6a1.exe

Verdict:

Malicious activity

Analysis date:

2022-01-25 16:11:53 UTC

Tags:

trojan amadey loader rat redline

Link:

https://app.any.run/tasks/95d0f89c-8978-45d1-a6da-8672e2a83a38

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/222647/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Delayed reading of the file

Sending a custom TCP request

DNS request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5122/overview

Behaviour

MalwareBazaar

CPUID_Instruction

LanguageCheck

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd.exe control.exe dotnet.exe expand.exe explorer.exe fingerprint greyware keylogger overlay print.exe regasm.exe replace.exe rundll32.exe

Link:

https://www.filescan.io/uploads/61f02e3b59d130b02a4fd84c/reports/20917445-28d3-4833-b64d-4fb11b0f10d8/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Zeppelin Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec9fb824-5bdd-489b-8a4f-eafb510b8d26

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/927524

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39baf2c34ebfc49b158cf/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2022-01-25 17:07:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xydoka55jcrnl3cnxnstflj66gv5fu3ft6rzxlzmgtv7ysnrldhq._file

Verdict:

malicious

RedLineStealer

15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0

RedLineStealer

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

RedLineStealer

6122924f2393d69b3d9c563736b33ca5182023d9d26c17edd34926ce1f844d7b

RedLineStealer

7c42542ebefa3aa55190c1a099b75215cded42548a2f11cccf435e9a75179cd1

RedLineStealer

86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

RedLineStealer

a0ac775ecbfa0ab3218e32b09a0d4fdcd82e7ceaa31241dc106c4fc77e9b5ddb

RedLineStealer

bf72cee251615ca0af6b861fd4abf781b007249d3b0bc8612bcb37bac0d427f5

RedLineStealer

ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39

RedLineStealer

fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784

RedLineStealer

+ 735 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:gladiator discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220125-vmz2pabfe2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.107:1433

Unpacked files

SH256 hash:

609dd813278c49c248af03fbb9ffe1a4357a103c907fe8e4483e5be6df98a3fb

MD5 hash:

3b50fdc5c080e055f4dcc1280248a67b

SHA1 hash:

b53803f7cc142ddd03c6ff8b6fc5989271b5c7cc

Link:

https://www.unpac.me/results/e141957a-4211-45b4-be2d-1f6336fc73ff/

SH256 hash:

6866a8f0b4b14682d933bcef2cc605b594baac247eeecf1c5446b8b3917110d5

MD5 hash:

2423b5508c7d0125f622ea1e204134fc

SHA1 hash:

4e43e1d966a7787c0645bfae279718fe4ceb5ad4

Link:

https://www.unpac.me/results/e141957a-4211-45b4-be2d-1f6336fc73ff/

SH256 hash:

2901a4c111d7ae496fd91653078015df82f8dd1826f8f1b54e8545bc98eb132e

MD5 hash:

a0379d6467378342b8df733c37cbefa9

SHA1 hash:

f296428bedb8ee7763572e041dbf15c9b6bb6854

Link:

https://www.unpac.me/results/e141957a-4211-45b4-be2d-1f6336fc73ff/

SH256 hash:

47805aceec519944f6baf4a154f7d8bc99bc6c89a02cd8e61c7ee5c6281bd1ab

MD5 hash:

5d3cae38e23dd248cc6e7c1184505cb5

SHA1 hash:

a479200e07d54b851ec67735cac870332013e0f5

Link:

https://www.unpac.me/results/e141957a-4211-45b4-be2d-1f6336fc73ff/

SH256 hash:

be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39baf2c34ebfc49b158cf

MD5 hash:

897fdc53ce5f26017c224ccab9001e74

SHA1 hash:

987fa2dec584d70da3c12f78ac777ca571261131

Link:

https://www.unpac.me/results/e141957a-4211-45b4-be2d-1f6336fc73ff/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/be06e503bd48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/be06e503bd48a2d5ec4dbb6532ad3ef1abd2d3659fa39baf2c34ebfc49b158cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/222647/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample