MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba33d7da1ccfb70c6c935. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba33d7da1ccfb70c6c935
SHA3-384 hash:	f564c9516d7f0813d912ba2aca4ededae345d3511332ac6e20c41586d8e8dff7dd0f914f8b927f0bb9a9d3c0aeb707cb
SHA1 hash:	c77bdc81267114e296f2019ba37b886385f6bba0
MD5 hash:	e4d75fa07eb1ddd24f11c53086fba160
humanhash:	triple-bacon-orange-october
File name:	cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	414'720 bytes
First seen:	2021-05-26 18:31:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9c2c73a90cecbb64de277b78e4756e5d (2 x RedLineStealer)
ssdeep	6144:FZTQCmWijvGIduIBOoKwqxlsSSOEtmgvw9eyxujgslYNnv7:FZTQCm9jvGIvQoK/T5SOEcrbxujgyY
Threatray	544 similar samples on MalwareBazaar
TLSH	5B94AE20A7A0C034F0F216B845B59278673A7DF1AB3450CB62E47BEE56F4AE19C31797
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
104.217.8.122:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
104.217.8.122:80	https://threatfox.abuse.ch/ioc/64483/

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba.exe

Verdict:

Malicious activity

Analysis date:

2021-05-26 19:08:59 UTC

Tags:

trojan rat redline phishing

Link:

https://app.any.run/tasks/aaedea9d-be68-4c81-9da1-1ef892380927

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/162566/

Detection(s):

Win.Malware.Generic-9864651-0

Win.Dropper.Gandcrypt-9864806-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/792832

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba33d7da1ccfb70c6c935/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-26 18:31:07 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=znnt5qn6l5bsz3dq7pvi2usscdxskvylk352gpl5uhgpw4ggze2q._file

Verdict:

malicious

RedLineStealer

3622c63a1e0fb6cc737b3face306b45ea39c26140dcf10be8d1dcfa90cc2df8e

RedLineStealer

88d9a8f5995b204905d44e49a90679acf5c3d83b0623b9391dedcb243fb52d41

RedLineStealer

90823e9bf099b873263241a2a7c3435b85fe6480ecb4fff4da9563ba95e7b31e

RedLineStealer

b16c67c196a1cc559f521eeac0052b0025b0eac9afdc5a25c6d8d7e7a611b37c

RedLineStealer

cdf3b92214030125e3c8f87d4b019f955073d76c2da279c2a2fcd2d9591aed2a

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

ed3f452a9fed41f5d3dfb528d6c05a53298b559775eeec46eda50ad42a714b28

RedLineStealer

faa254ca57ec7188939dc6b75b65b9e018d3152c5adb2953daaea28fd4044b69

RedLineStealer

fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491

RedLineStealer

+ 534 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:25.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210526-16z55sl2xj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

lanaky.xyz:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba33d7da1ccfb70c6c935

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162566/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample