MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments 1

SHA256 hash:	c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309
SHA3-384 hash:	68ebc155e90bf120c2af59e05a8d1e43bce8de3dfa69de94fe2b677c3bdb753ba8f5f55d10ec2398a1f496071be32c65
SHA1 hash:	d1e059878669d9a56d7cc7a97d56f4e7b48e4a4e
MD5 hash:	3751029de2bab9ca4095289bbeff0003
humanhash:	wisconsin-oklahoma-snake-equal
File name:	3751029de2bab9ca4095289bbeff0003
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	376'832 bytes
First seen:	2022-06-05 23:05:15 UTC
Last seen:	2022-06-05 23:42:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2d5f1ef6d781c0b0c9d1b00cbdec429f (6 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:kvoEI47yvcnzSUY+XWEfPX+pNl6C8Cqd3reuUEadpLeUKHa8xh1usUhEhfF:kwEpmvIuUY+XzPX+R6Crqd7euUEa2vBx
Threatray	3'922 similar samples on MalwareBazaar
TLSH	T1B084CF10BB90C034F5F716F099B993A8BA3EBEB15B2491CB62D516ED1675AE1EC30307
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	60f0f0e8e6a4f0f0 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.245:23196	https://threatfox.abuse.ch/ioc/657214/

Intelligence

File Origin

# of uploads :

# of downloads :

700

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

3751029de2bab9ca4095289bbeff0003

Verdict:

Malicious activity

Analysis date:

2022-06-05 23:07:50 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5762fd7e-209d-41a1-ba45-3397220fe4e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/276851/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.14284.15599.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed

Link:

https://www.filescan.io/uploads/629d36b6816de95910e086b2/reports/a0ab5fae-1ab3-401d-abf3-99c2663fef44/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/329a0477-da43-4ffd-978e-ccf029e8a02d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1007028

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-05 23:06:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 41 (70.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yuyh7wrkadvgqhe7q5arynjx7chlzim747bd5xbc5dlmvm5pqmeq._file

Verdict:

malicious

RedLineStealer

2a113ee60a247825cea2ec2cd7bb1b33302729ee6fbccb2a9fd23f582ace7746

RedLineStealer

843a82d901ad671ab4f033657c08954a8349aff9c0f59eed8869c1a12b82f90f

RedLineStealer

c68962560934ff5b773428ce8a526719c78b8cbabe2e9e649a0bf832299e42a6

RedLineStealer

e67a2b81bf50cd9aebc25271deb32bf15715d3f0a384489ff383d7e63e685d56

RedLineStealer

f07f210bcb0f9ca5d222a89c493a6779870816e04f44f88ac5940bc44a445399

RedLineStealer

+ 3'912 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220605-23da7ahean/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/a118739a-b3b5-4826-a563-b6874f7cf321/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/a118739a-b3b5-4826-a563-b6874f7cf321/

SH256 hash:

8938f212bedfaf8b11511975865a15ba06a9b3b53d2c9aa5c295b70ad79dd6f2

MD5 hash:

041ea344f71a48cd5201fc24ce740a61

SHA1 hash:

0008a3f30efa3d96c6a444f4b8f7e395fc2ea237

Link:

https://www.unpac.me/results/a118739a-b3b5-4826-a563-b6874f7cf321/

SH256 hash:

c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309

MD5 hash:

3751029de2bab9ca4095289bbeff0003

SHA1 hash:

d1e059878669d9a56d7cc7a97d56f4e7b48e4a4e

Link:

https://www.unpac.me/results/a118739a-b3b5-4826-a563-b6874f7cf321/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c5307fda2a00/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.