MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d
SHA3-384 hash:	4abce5ffabbce3595fe54b55984a659f156211cf018bc1d9e9a56dea0cdf3fa56f6e8578da622ad310d83e9e24746329
SHA1 hash:	739bbfc982510dccd2ac96bf47e462e5172c015e
MD5 hash:	f18b7a13b93290e002440df85c878d8b
humanhash:	lithium-network-iowa-colorado
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'955'245 bytes
First seen:	2022-10-06 14:21:39 UTC
Last seen:	2022-10-06 16:14:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	09d7f8249a36bc0ff07a4d3c56b1a15e (6 x RedLineStealer, 2 x ArkeiStealer, 2 x DCRat)
ssdeep	24576:XabYMUEBRRPAa+YNYjVSDRfNMm3dnz3t1MCaRhj6rolTXuXutiKqs+DL9kLkkQlh:XqYMUEB3PA8f8CEwroYetiKqs+Dmgl3R
Threatray	610 similar samples on MalwareBazaar
TLSH	T154D53A139A8B0D75CDD237B4A1CB633AA734ED30CA2A9B7FB608C53959532C56C1A743
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc735662571_647997651?hash=CWN8mzZspNOEpWtRBXmtTY8U6N4NHGVrEzDE6vwDRFs&dl=G4ZTKNRWGI2TOMI:1665065920:g1n6Y8MS1ScXZLVBewgFOZGfGEhX5MnuRaMXQoyhylL&api=1&no_preview=1#t

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317329/

Detection(s):

Win.Malware.Redlinestealer-9973169-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41553/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/633ee48d49c58ce767c65f82/reports/f4516761-6f9e-408b-8d8c-37e3c7bf0128/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Certishell

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73f20f37-bd1e-4af2-b5b9-0fe3fc833f20

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1085018

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-06 14:22:14 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yfcnr6k7qwt2ert6x4kzibc6yu2avmbfdnajka2sl3jzi7ryfigq._file

Verdict:

malicious

RedLineStealer

4bc344e09f50cad258856aca3c3ce4f62f91bf414f29bf67311665185844e7db

RedLineStealer

59e899850342fd8cec14c516dddf3394fe846f043b0959e3daa856969454587f

RedLineStealer

727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0

RedLineStealer

7eff4f2344e8b0857d8045e73a199fc159ce1cbcd6a405606dd5e01c437fe6d0

RedLineStealer

8371e7ba1621bbba6b75ff061f6df8ba2c2c4e2cd9844035dbc1c263bcd76c74

RedLineStealer

bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202

RedLineStealer

f7dbe640f31f8a9c00c0902580c04664a07d68d8453a3e7142691168c6fdbedf

RedLineStealer

+ 600 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:000 infostealer spyware

Link:

https://tria.ge/reports/221006-rpkg8shfb9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

13.72.81.58:13413

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/627fe69c-128a-4406-8637-880a14131e7e

Unpacked files

SH256 hash:

8e2c7d865b41081601a7ff85c96faa9321db019ea61898b23cbc657c940ff17b

MD5 hash:

e5485a23dd67053f51b5f94d8c0d786a

SHA1 hash:

27a6a8206f97295f2733a29c7bc55e2036f8d31d

Link:

https://www.unpac.me/results/3e1c6e1a-5bc9-48fa-b74e-55f3f2594a3e/

SH256 hash:

fc7f728372620802c1fd4f79e046cf91cc43a49f850ba458852d6e82eefb9db8

MD5 hash:

dc1535065bb8b28b14ced1eca27d06bc

SHA1 hash:

257f8ae804ad53b39f2979ec23b189dcc574046f

Link:

https://www.unpac.me/results/3e1c6e1a-5bc9-48fa-b74e-55f3f2594a3e/

SH256 hash:

c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d

MD5 hash:

f18b7a13b93290e002440df85c878d8b

SHA1 hash:

739bbfc982510dccd2ac96bf47e462e5172c015e

Link:

https://www.unpac.me/results/3e1c6e1a-5bc9-48fa-b74e-55f3f2594a3e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c144d8f95f85/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/317329/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample