MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96
SHA3-384 hash: 1db8fadffbc6c3d6dc7d97597096df749f2d46a80e7096d1d7644dbcc60d13edab753450557e10ebbc6d6f3fd1c911e6
SHA1 hash: 22e8a6164260fb042fdaf4c3762f98f1b94033db
MD5 hash: 776891428b5210d6c25e64e5a3791002
humanhash: alanine-carolina-glucose-illinois
File name:776891428b5210d6c25e64e5a3791002
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:500'736 bytes
First seen:2022-10-21 01:54:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6146b67bbbd8b071bb2e0791b11c6903 (3 x RedLineStealer, 2 x Smoke Loader, 1 x TeamBot)
ssdeep 6144:Vg+0RPPSLa1uyaOyO3baKngIoxB5f9RxEhPlRU5FgdYlya0UOLYK:VgHPPSO0yaGnlovVj6tlm5FZch8
Threatray 5'106 similar samples on MalwareBazaar
TLSH T1EAB401363AD4C032E6A711358854ABB0AB7BBC3016BA65973BD8167D4F707D2EE25307
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acafecee6eaee (53 x Smoke Loader, 24 x Amadey, 14 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
776891428b5210d6c25e64e5a3791002
Verdict:
Malicious activity
Analysis date:
2022-10-21 01:59:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/8bf3ca61-a66c-4ef3-b749-84efaaabb156

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322162/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62945231.9267.8971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6351fbf8898b0652a4b92dda/reports/f4a59b2c-15a0-4932-90b9-33e55f8ac875/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e81c6b1f-f635-4b4f-9e65-76b485956586
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094565
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 20:23:39 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ym72cmmx4wajytn7fhgejhxdb7ppjsqsos7eyifxxjpsl6ovv6la._file
Verdict:
malicious
Similar samples:
365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4
RedLineStealer
4082e03bd9b4dfc2bb47a8885ba0a7a0404c4c1e82095fd7065a9c3358644b68
RedLineStealer
4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d
RedLineStealer
62263e2a3baa016b5048a6db6c0db98f8036c6fedb41216a6a08087ac7890413
RedLineStealer
85245aa479744025f0b3582703dff74aa5e13b28704b011d21a9ec8a443f8516
RedLineStealer
8f098d3db473a169c44697130f8af8d54d2cef231d17fb384fe5a2b2ccff6715
RedLineStealer
d5e3adb146e7b49bef24ad7fd2982f2c1d927da3bdcb5c440d531fa7a7de6d16
RedLineStealer
+ 5'096 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221021-cb4xdsffd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
41.216.183.52:9882
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b1dd4b8a-132d-4bcc-99fa-62d79d5e4b0d
Unpacked files
SH256 hash:
c111eee0b68e51805aeb99cae0b9cee4e1b1d478bd4f622f3816643a519f238c
MD5 hash:
14a636fe97375aeee4904d7a9fee33d4
SHA1 hash:
c346327eb0f916cb51d6acb67cf0e6eef709d286
Link:
https://www.unpac.me/results/5d9a9c09-6809-46ac-93d3-64a9a133aae2/
SH256 hash:
a20acc2a237483999a763700f028bd1e933b0805549ce7d376455f200183a670
MD5 hash:
6f8ccce92667916dc5c71b29336a23a0
SHA1 hash:
a4a7ee6bf8d8355ab4296686a214ec9e44ce52f8
Link:
https://www.unpac.me/results/5d9a9c09-6809-46ac-93d3-64a9a133aae2/
SH256 hash:
79868415d1063c46b5e5acf76737d0582d6672ac8b54f156c064ba85609d9115
MD5 hash:
ff10c47f507630d95f99e18cb38645d6
SHA1 hash:
70475659ad1d6af00a783173c6f1cf5e9aa0be1a
Link:
https://www.unpac.me/results/5d9a9c09-6809-46ac-93d3-64a9a133aae2/
SH256 hash:
6d531097ced92a99a7c43210d3f807cd275635e247f6cd92b5d91fd83806c0c0
MD5 hash:
49127dcfd735b7f1475bd6b68558e7b7
SHA1 hash:
323bc04bc0c4e59d5c23a3eeb70fcafac0332167
Link:
https://www.unpac.me/results/5d9a9c09-6809-46ac-93d3-64a9a133aae2/
SH256 hash:
c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96
MD5 hash:
776891428b5210d6c25e64e5a3791002
SHA1 hash:
22e8a6164260fb042fdaf4c3762f98f1b94033db
Link:
https://www.unpac.me/results/5d9a9c09-6809-46ac-93d3-64a9a133aae2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c33fa13197e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/322162/
  
URLhaus
https://urlhaus.abuse.ch/url/2381423/

Comments