MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272
SHA3-384 hash: e6f440a4512963962e7e3bfea1ed77c1f6d7d942428825fdeb62c2756c0ea5776b4025b44599be80a3b1c302bce1b96c
SHA1 hash: 447294e67fa7170de5ece9efb4cf0c2ab46050ce
MD5 hash: 69e5847828bf1c24c7d5643e10379956
humanhash: summer-berlin-green-early
File name:69e5847828bf1c24c7d5643e10379956.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:329'216 bytes
First seen:2021-03-31 12:50:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baf6552e1c7923d039841ba11b7a0d4e (4 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 6144:5dCcl254oZLhKOlzfxA91nzElFR/uazo4po6PGgrU+kkB+UF1PE:GclToZYOlDxA91nzElFR/uaJpU3VK+
Threatray 619 similar samples on MalwareBazaar
TLSH 9164E000B5E0C073D15609750821C2A65A3AFCB59F78A6C77BD43B7E6E392D18A3A3D7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://lordliness.store:40355/

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://91.214.124.141/proxye.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 10:38:10 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/5f87034b-641f-44a4-b572-646c584739e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129277/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6898.7585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660400
Signature
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 12:51:05 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3g35zwukxgla22htpiipn26duafpllh225axlei44g6z2qsgjza._file
Verdict:
malicious
Similar samples:
0aab43b526e9c5c16eb0d285a6c1c50fba4c750a23020234f3c1a8d329074b6b
RedLineStealer
296828d37dd5732fa8bc85dd59c8032bdcbbf5aff62399ae72cabdd1989c475b
RedLineStealer
60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5
RedLineStealer
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
RedLineStealer
89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2
RedLineStealer
8ab0599e3f141523358e5b60ef3cd9a2fb1fdbde52cb693e675a9004a25ff007
RedLineStealer
addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b
RedLineStealer
c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
RedLineStealer
d2b1b74b9bfbb426d4d43ba2271de2bc48a1ed5f5bcf9ce8fa24312266b4dddf
RedLineStealer
deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe
RedLineStealer
+ 609 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210331-3c2hjazj7j/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
Unpacked files
SH256 hash:
aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848
MD5 hash:
c61ed3bf3203c28408a6b58a338b0b07
SHA1 hash:
1eafb1e9511440ba36ba0f05d3fe0f076805fd75
Link:
https://www.unpac.me/results/7a2f1bca-9955-4d6b-aea6-c672037293e8/
SH256 hash:
bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630
MD5 hash:
71705e85f8748ca46e31537e62e19037
SHA1 hash:
4f2b3ee4cf0809016c4a9f6958ec752067d838cd
Link:
https://www.unpac.me/results/7a2f1bca-9955-4d6b-aea6-c672037293e8/
SH256 hash:
1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9
MD5 hash:
78a535422e2f6ee38d23303739633df4
SHA1 hash:
a79eb74129aaa63ca4175bad850510667e876255
Link:
https://www.unpac.me/results/7a2f1bca-9955-4d6b-aea6-c672037293e8/
SH256 hash:
becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272
MD5 hash:
69e5847828bf1c24c7d5643e10379956
SHA1 hash:
447294e67fa7170de5ece9efb4cf0c2ab46050ce
Link:
https://www.unpac.me/results/7a2f1bca-9955-4d6b-aea6-c672037293e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1100000/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129277/

Comments