MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939
SHA3-384 hash: 876c473cb32824126bea3f29e8dd3b5bb2d749e3fb6b1ff2e80b5bf44bc5614952ee2d91feba79dbd32a6c83614aaf8a
SHA1 hash: 8581bf9990d130b259a558e6117b2877af481b1c
MD5 hash: 5e7a2fdde2803b22b39abf66ecf9bc33
humanhash: island-ohio-pizza-chicken
File name:bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b62.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:249'584 bytes
First seen:2021-07-23 00:40:46 UTC
Last seen:2021-07-23 01:45:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:7wh793ZMLTw7x6VssRGJSVYDaMrie/sX81bCtFs:7W8ssCSVs6FtFs
Threatray 833 similar samples on MalwareBazaar
TLSH T13D34AE5EE7452B45DA943A3CCAE6DF2603B1ED6CFAD4D319A06937590F373812809B83
dhash icon 5a9e14f8f0e4e4f8 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.244.182.34:22602

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.244.182.34:22602 https://threatfox.abuse.ch/ioc/162201/

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6083453904912384.zip
Verdict:
Malicious activity
Analysis date:
2021-07-22 19:58:13 UTC
Tags:
evasion trojan stealer vidar loader
Link:
https://app.any.run/tasks/702c2e96-bc84-40a0-841a-bae79efd3c3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173460/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37278646.18383.27632.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3b5b6bd-01d6-4de4-b612-6999e2bf668f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/820473
Signature
.NET source code contains very large array initializations
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7czj3q6safogssi7o3mqm775gqpv2n27c3cbvy2e45ase633e4q._file
Verdict:
malicious
Similar samples:
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0
RedLineStealer
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
RedLineStealer
49109a49df93b6624b2ddbc0f64038ae42b16fee070844d19c1a5c27d4b7764d
RedLineStealer
66e702f81c4dd98b79f521eea0b260b9949f8629824490a442cb14db543092de
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
RedLineStealer
a77affc8aade0e41bacc74406c6db70c087971dad3f5acb73eaa0531ecb0135f
RedLineStealer
d4318bfc9c962824b9254a8eecaa7f30c5e6cc3a209a6d8ef84395aeab2403b7
RedLineStealer
+ 823 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:neuwikkks123 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210723-fcyqrfyeks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.244.182.34:22602
Unpacked files
SH256 hash:
ae1f6bea2787a7dd2b6ebf287bbc0e0b3f59bc444a29f238d8489d857aa0675c
MD5 hash:
a5862c10fb85a51462febb56cf4c21ec
SHA1 hash:
dbdfd8bd6cba2d8452c36606831dd6e20ca2df84
Link:
https://www.unpac.me/results/d34bd47b-c716-4133-8ae5-6e4d45090569/
SH256 hash:
819afbf61361cbc63d56ac17366a838447e96a358b489002cd5bc84274bd20ea
MD5 hash:
01e76568386eda9428811262daa084b1
SHA1 hash:
13378b290a62c35ae3d3d062da70acbe6bf4236a
Link:
https://www.unpac.me/results/d34bd47b-c716-4133-8ae5-6e4d45090569/
SH256 hash:
bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939
MD5 hash:
5e7a2fdde2803b22b39abf66ecf9bc33
SHA1 hash:
8581bf9990d130b259a558e6117b2877af481b1c
Link:
https://www.unpac.me/results/d34bd47b-c716-4133-8ae5-6e4d45090569/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bfc594ee1e900ae34a48fbb6c833ffe9a0fae9baf8b620d71a273a0913dbd939

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173460/

Comments