MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
SHA3-384 hash: ec46ffca356c6151d8137840b7871adf1d9386179638540185d1a8154d29fb288372b451e65fbc6e0d2b13f1aee51c19
SHA1 hash: 5492298dc817a9d9cf2af44b7c228770541da2ce
MD5 hash: 5bec555084177862a21eba17b75d068f
humanhash: crazy-jupiter-nineteen-butter
File name:5bec555084177862a21eba17b75d068f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'707'520 bytes
First seen:2023-07-23 17:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e487469ea0a18570ebdd8dccd6399a1 (1 x RedLineStealer)
ssdeep 12288:hzFb61WSg1Hf4J/gjbrVkH0HprhYkfDFQJ2i1Z/cqOWehbDFuDjR8j97OM+fwQ:tr1HfY/gjbrVrB8/cqOWaDHkbfw
Threatray 1'598 similar samples on MalwareBazaar
TLSH T171856B60F9878121CCA12CBC03EFF5A4427CA46B0B6277C3379666ED9620DC9673F596
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.246.110.195:8599

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
5bec555084177862a21eba17b75d068f.exe
Verdict:
Malicious activity
Analysis date:
2023-07-23 17:10:34 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/008374f0-f8a1-4ea2-bcc7-6d91c19149f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/429897/
Detection(s):
SecuriteInfo.com.Variant.Lazy.363999.640.20478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c38c69ab-64e6-447a-b118-da6fb041babf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277909
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 17:11:06 UTC
File Type:
PE (Exe)
AV detection:
17 of 25 (68.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zebqmuvvvuryqvbkj5kcbc5xc64c7mm5d7zufcnhp25wl2popnta._file
Verdict:
malicious
Similar samples:
14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
RedLineStealer
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
5392a4d9dcec99da44ff8338a131c56a874720c3093ffdd81af955bac12cbac4
RedLineStealer
74206dad60a538ee15736cbb16144ec2e6efaeff136704a08a202b3d527c3339
RedLineStealer
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
RedLineStealer
a09f32df2ebb726fa5a65d1117b29095ca58ff8ed16926fca96cf4e003e9df4e
RedLineStealer
a603f24dcfe2d6c509d38aa796680ba1ec48af5c984bceb106c7b28224cbfcbb
RedLineStealer
b02a04e65ae9453f1c3bc5fcfd47686be2fb8b8f978c3ec29a0c6749106ed4f7
RedLineStealer
dd7559d441f5207d13dd4e8486af5146085c326b27e0ba2b4a72acbcd2a60984
RedLineStealer
+ 1'588 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1red1 infostealer spyware
Link:
https://tria.ge/reports/230723-vp9nxafh2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
77.246.110.195:8599
Unpacked files
SH256 hash:
8bdc99aa861fda33fa66e72c65451b225a41c21da51dec53137dd3ef0f325e14
MD5 hash:
f7d837a34678f655d2600cd6d38e1fe2
SHA1 hash:
79ccca01271d8501632411192432dde1e5536d85
Link:
https://www.unpac.me/results/211cefd1-5a5c-414d-9405-401bf64090a6/
SH256 hash:
a2fdc80a877bef92cd569982f379331c821c337a322547d89c698cbe415b859e
MD5 hash:
5f0f246ed497a8ff9d80004efe068346
SHA1 hash:
cb997a3c1a1f4884d17d1f5a2c86c277f323124b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/211cefd1-5a5c-414d-9405-401bf64090a6/
Parent samples :
a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
dae4ef263266f77d4bc88a23772a5a65e8ffe9ce69e3446019fbc2cd6b87df79
4c3b0c1e5e66b0f794e09afe724a3a805610becebc02741f009603ab2e2bb689
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284
SH256 hash:
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
MD5 hash:
5bec555084177862a21eba17b75d068f
SHA1 hash:
5492298dc817a9d9cf2af44b7c228770541da2ce
Link:
https://www.unpac.me/results/211cefd1-5a5c-414d-9405-401bf64090a6/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9030652b5ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/429897/

Comments