MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f
SHA3-384 hash:	b8de615d2de954ca961b6ffcd30b142f91413de956baffe819b4cbe42895b249e43b0f6350ddd0fdd049312c711cd1e8
SHA1 hash:	c9a74b931783bfe7a7e8e8e9875bc21600c9e71a
MD5 hash:	7eebda9b150a27aa13967cf62cc8bd62
humanhash:	don-mango-alaska-avocado
File name:	7eebda9b150a27aa13967cf62cc8bd62.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	374'272 bytes
First seen:	2022-06-06 19:05:46 UTC
Last seen:	2022-06-06 19:41:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	46cab790cbef92248fc73672815bb1b7 (5 x RedLineStealer)
ssdeep	6144:z09xyWIbqSu/rSSFXYABFnZE6eU882gao2UT46UR4n1okt+I5RhGmvaiB:z07qbW/LtYAB1Z2Ul2gaJV624g8YU
Threatray	6'368 similar samples on MalwareBazaar
TLSH	T15D84C010FB90C035F5B756F449BA83A8B63E7DA0AB3494CB62D42ADE46356E5EC30317
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d8b8e4e5d6ecf0e8 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.245:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.245:23196	https://threatfox.abuse.ch/ioc/657214/

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

7eebda9b150a27aa13967cf62cc8bd62.exe

Verdict:

Malicious activity

Analysis date:

2022-06-06 19:11:10 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f0bb7469-2ac8-4203-bae9-c457c96835a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277127/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.63404.4068.4370.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed

Link:

https://www.filescan.io/uploads/629e50606aa17a21fc27ffd6/reports/f3e7d5d9-35ed-4370-9db2-0d6a2435f16e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1eef3466-a153-43e1-9c70-e5fae6dc8689

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1007630

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-06-06 19:06:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3fnhqgcurhxvxj7ttwlvygbroybai6yn67wtykcdzfstsq3t57q._file

Verdict:

malicious

RedLineStealer

41a55e0a590832cb83b3c211282d9292743a197867d483db9a240a300aa96502

RedLineStealer

6053a38f2f9b911cb682ae3085cb8d3abd77c4a886a3790f0e66020d16386c30

RedLineStealer

93ac1dfcdeb6aca6957632ec2478a2baf8f9b71e936102922098a2bc5233a9d0

RedLineStealer

9990d582538b8d58127bc56b08c69d315ed3951c6f9cf44152643188d9cd76a8

RedLineStealer

a59f0c18c73ee15e06c5bf447e6efd4daaa5dba84caf09b531088d1e8bc7cb8a

RedLineStealer

a875098c938f157b3c493ed89049a2d24bb9052b4f493fada7e4ce693b34770e

RedLineStealer

e1940d5d2ccc9a7db9bc4605837262efe7a223942a7cbd9b59506070a04404be

RedLineStealer

eb630c0e1afc2b423b0b70023546a85839bc97661ebd71ce3a73f1cae910420a

RedLineStealer

f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e

RedLineStealer

+ 6'358 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220606-xr3dqafcaj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/df1e6582-5e87-4c68-a126-f3aefd6f5d15/

SH256 hash:

64d4ce7906e0dda1d41a4f99101760482e1e16786e03b115fb25fd68201ac05c

MD5 hash:

c257e89b0515047d7088f8e5f5db4d92

SHA1 hash:

12f42292ed672c89a8f71cd6b41a7c80c4e3ba25

Link:

https://www.unpac.me/results/df1e6582-5e87-4c68-a126-f3aefd6f5d15/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/df1e6582-5e87-4c68-a126-f3aefd6f5d15/

SH256 hash:

becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f

MD5 hash:

7eebda9b150a27aa13967cf62cc8bd62

SHA1 hash:

c9a74b931783bfe7a7e8e8e9875bc21600c9e71a

Link:

https://www.unpac.me/results/df1e6582-5e87-4c68-a126-f3aefd6f5d15/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/becad3c0c2a4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.