MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
SHA3-384 hash: 7f33cadff4b303f463caa0f5bb6fb15f0f643fa395244200fe1a5d78ea1cd8620ec29ec4383b8cc9ed2d2473dafa903d
SHA1 hash: e28e7416bcc03a06dd290f20a0e71c9163439475
MD5 hash: d0493b8445b39746402fcad4e06e3850
humanhash: lithium-michigan-stream-cardinal
File name:d0493b8445b39746402fcad4e06e3850.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:283'648 bytes
First seen:2022-09-20 21:10:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc302fa1d6e6004306c9dba66e7f4593 (3 x RedLineStealer, 1 x RecordBreaker)
ssdeep 3072:narha5Q82U+ZvkPK4Vm17IF9I1vj+x69Cogn4Zk/pBj2ZQcNVWvmXWBx8N9wKIr+:eHU+yPA1Z1C8TgnIk32aNu4X7iC
TLSH T1AE540210BA20D032C4341672087582866728FDA65B659BC7779D7E79FF732C09BBA387
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1694d4c68b2b472 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
46.18.107.225:6134

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.18.107.225:6134 https://threatfox.abuse.ch/ioc/850710/

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d0493b8445b39746402fcad4e06e3850.exe
Verdict:
Malicious activity
Analysis date:
2022-09-20 21:13:17 UTC
Tags:
redline
Link:
https://app.any.run/tasks/0738ae9c-09a9-4ea2-8948-24e5ce62a65d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311809/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/632a2c69b333b2ec6b3b4114/reports/d12514c1-51ef-427c-a15b-2e606f227ee8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1889157b-3b24-40a9-bd16-cb55196ccc9f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1074091
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 20:27:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfgtbtw4gzl3zzpnlidggpfyhlpwwghskpdm5uaumlikreo5ierq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test infostealer
Link:
https://tria.ge/reports/220920-z1kw5saaap/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
46.18.107.225:6134
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ace7f42f-f16b-4717-975d-e87d20ef8c07
Unpacked files
SH256 hash:
ff7f84b41f53c5595cfa327b7d883b0e3ebb8becfb433163d8ab29071d71c9e9
MD5 hash:
79fd3d0ebe5664a5c631b0d4bca4d2c8
SHA1 hash:
3ea6b61c5d47315d9e54cb834e2b25578686b2f6
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/374325f0-733a-4be6-a505-e47614250b9c/
Parent samples :
5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264
c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
1fda2d1c1c161e51b6ac01ce6503d62782493417339cb1304a07cbd6f2ff98ee
SH256 hash:
9e5877cf10e8c9c53bb13285efea8cd5f2af26912dabafea603cb217db0baa2f
MD5 hash:
900d22f7b7b4f0dbbf9d87cbe891ad26
SHA1 hash:
2f8a158e41a79e53b9ce098bb96628935d138310
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/374325f0-733a-4be6-a505-e47614250b9c/
Parent samples :
5ea64524fc886f66d5b3aa5311e2daa4c033a9a23104bfea0829b0f46a26d264
cc04d694f64cf0c0e875c279d0aca58c18fe6796dfd94282b61039d400126900
c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
c0908595a7264db050cdfc6067b6193935fa95812ea93d0a167748f6e34149a7
4be839ef16079be8c184fae241e067b607860f60c7cc45f4de438f0ab1ec722e
1fda2d1c1c161e51b6ac01ce6503d62782493417339cb1304a07cbd6f2ff98ee
SH256 hash:
6ba18a4f251b96bb823f69cf406c33884c3b3181cd6699ebe20b60bec9353710
MD5 hash:
f9a16926a9dba3eef68f91638ac07503
SHA1 hash:
2297b493540960977f10414799f6925595bfa7a7
Link:
https://www.unpac.me/results/374325f0-733a-4be6-a505-e47614250b9c/
SH256 hash:
c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123
MD5 hash:
d0493b8445b39746402fcad4e06e3850
SHA1 hash:
e28e7416bcc03a06dd290f20a0e71c9163439475
Link:
https://www.unpac.me/results/374325f0-733a-4be6-a505-e47614250b9c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c94d30cedc36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c94d30cedc3657bce5ed5a06633cb83adf6b18f253c6ced01462d0a891dd4123

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2308260/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311809/

Comments