MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c
SHA3-384 hash:	61dab976f0a894556d82be1be4f211d945a143e7ad2a1be6ff372ccb229473a39822975d1b4a28f673d8f440110757b0
SHA1 hash:	dc7e3f8f3240843066e05fc388a1d6a1d46022f0
MD5 hash:	f8496afbdbe41132d8f88fcc11ec81ed
humanhash:	bravo-undress-washington-aspen
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	226'304 bytes
First seen:	2022-11-14 13:02:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c9c51bdda6471901399212ca345aac3 (4 x RedLineStealer, 1 x RecordBreaker)
ssdeep	6144:GFeDvxhOjwN/1mwyB3G1mwyB3uCyRyIkpRf2w3wsn2Kx5N15nAD4:GF0vxhFN/1mwyB3G1mwyB3uCukHew3wA
Threatray	1'324 similar samples on MalwareBazaar
TLSH	T143249E273220C071DCD1D4F716F5C2778CAFA6924FC8D2CB316C05AB1A7A69319766AB
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-14 13:03:19 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/019be862-ebe8-4924-8057-311dcae5cb06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/333742/

Detection(s):

Win.Malware.Midie-9977605-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63723c8a4cfa4744015c4f99/reports/38df3c1f-adc0-4867-ad37-93347b6ecd76/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/69b514da-0bf6-4088-9199-1af2ec26079f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1113038

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-14 13:03:09 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zntcfa6eve6eodvvtnyxnl6cvr3rd7pab2ny7egqmn7bli43wboa._file

Verdict:

malicious

RedLineStealer

141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9

RedLineStealer

640c48fb023a7626bf4f85e38ff1ef0101a56a8935c5d2b3281cf7bc62dfcf1f

RedLineStealer

8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170

RedLineStealer

94365d9e2381d5800339362f6bc43fce1136615dc0ac49dae00e094b51e9ff38

RedLineStealer

983b19f3d65f37400eeb404fd838e322041fc26335ed14e08d29addbb87fcea9

RedLineStealer

9c1d7d6a607fa18e54a87c712d2b5cfdfcbf0ab8a337fa576ad2fb0877255e31

RedLineStealer

a97dd2d4430e1f045564b591154d3537eb3d07def924533c62d8fdc8577cd89c

RedLineStealer

+ 1'314 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:711 infostealer spyware

Link:

https://tria.ge/reports/221114-qacneaga31/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.110.203.100:32796

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ec37b8e7-193b-4c68-87ac-aab0e4394d00

Unpacked files

SH256 hash:

6bb44e4339951fcfb2013e7d6e85afe72988e8d4b0229cc810c20753bbae63cb

MD5 hash:

886bff907b9e1fd1cbffdaed75db55b2

SHA1 hash:

d08b7c62f8d610b3826433700101f2dfdb9fb39b

Detections:

redline

Link:

https://www.unpac.me/results/0944e346-3ae2-4af0-9c10-24bc076f8e05/

Parent samples :

cc285423b687fee9ac81af7fe2e1c44edb440f2d141bd06f587562bbecdcf4c8
1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0
e0a8b7625ae37474dec9abd9ca3bcce1579ad5298d73e3bf6216fe6c301a21f7
0cb1bd5e42c2c36180da286a6fea506828bca2b52ce90a33efa79b2a1bbc087c
9a635290353b8d1a64f58c5d0a84a474aca0bed55f6924aa8ef639138f2f3501
40bf6081aba422e4a8e6f7c28e37862db5a55a9b2f7fc91b0dfc338a8c118b61
47e4f1702bdb782cf54bc63ddfd4d3ab8c914401ec04753b1ce0467e9af8a0df
3a954a6d5b0dab1a3cd72abc9922ac621faa9ffeec1cbfd30387f9b58ff0524c
487f692d4542dbf36326edf1a9dc95aa79766976ffa216ada919608607115f07
0aea55e208c4bcca4ce15ed0cbf9da28dd9a673c81b2a6498120cebb1d91df00
02037c6c2f167c6d8a644eed10a3230a030794d44f199b123118991d847320cd
cc03302457a0f8306587c3cc985e34de489419c910f1d91b008f4e435cc19a25
c19eece37b3f121921955fa412ad6b48877f8267b5736254f8b08a7182c80fb7
c6540305bd436857be3a8d27add6cc8da08d32c156846f30369b9baf012bb13c
c9192a00936786e367fe1ffc605eafc645c4bc3dcc66987772a8def633235468
bc7381a7248b4a546acf4944e549080fad811acbf1b22a07a3469ea0559faa62
d6841d2cc49083cd7cb8f193d2472bcfa3047a9604862e488add1a62ccae3b3b
8a95bd48d2584a749fda8738ec81175f9599b73c6ab873e92177287450df8fd9
391a279a73e83e2bb74cc101dfac06934a7557e45b0bdcf6e936638933b7642b
bd862ccdb4efe187742367ac2aa0862d96747a1f066ff8d2fb356712f14e835f
3e51fae8b429b5bb30d61a5efb5357020eb378f5b83e1e913349d737ebe0bd10
1de1be30fe540a3ec2668c30563484622da5359180d635842e30013d036b7f21
7364c1a162c1aba59448972e7a1586925cc2287dd02476acfe909bad9c2e9798
82ed847ff151260a02f9c9ab127186e7778bd6a92e7c29f7064f4eb93544cb5a
eeffec5de4713c770dbcb8c37102766f46c6e0472d69945cb75bf6ce4828e695
48709413d8861b47cf9e5b2ad93fdade7a287c7ad09b406a133457b1ce4b4049
23a9ebd6ecd7cfe183feae9a59770946eee29c879c5e04f7f8124c69122851d2
41b50ca266a53fcb5dcb9823614f6d0089f1234997cfee67b2d2283905a79056
89a4671154cbedeef33f82bfca8024cb818c413e136eb288a25cc026a6c763db
a07ecabb9993e542834dab5498e7ab394dce0c9bcc02b186aebca710e8969db0
81173b89b99d19283f9ebe3ee7e2aa13070618cbb1d9d7c96a2bbf8be985dc7a
640c48fb023a7626bf4f85e38ff1ef0101a56a8935c5d2b3281cf7bc62dfcf1f
cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c
a97dd2d4430e1f045564b591154d3537eb3d07def924533c62d8fdc8577cd89c
e0b552b692edd10e64e50af22ca59ca13166e42f31011c38a491505a42fdc901
4eba84651f9277848e81305df8d9cf6ed26f2a46d872a553f71615fcab13d17e
10b4fab1fd21031ab0c60827c213d57e36aaf3c24252dfa9fcc1c68134ab9637
238154fbeb8c1e9044badca46b9b98c1daf21bbea74b49b5a9939247c437bbec
f248e10c0133de41a9a57fe904c065124b884f664d1ddf5d62c6284301a850b4
a1897916acce8b810ae11ed907d77d5bf7245823ac832a1603dad73d7f552ecd
ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10
a4f1cc0fc562132d002fb992a4552dee7e75c26343be8611c9f9bc6b2d68eec6

SH256 hash:

cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c

MD5 hash:

f8496afbdbe41132d8f88fcc11ec81ed

SHA1 hash:

dc7e3f8f3240843066e05fc388a1d6a1d46022f0

Link:

https://www.unpac.me/results/0944e346-3ae2-4af0-9c10-24bc076f8e05/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cb662283c4a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/333742/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample