MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
SHA3-384 hash: 41967c8e8878da429dcbeca4248452dcac2de54ddb35346a21b0e2e144dd91ef69bca9351c70574f0185e0360fa10500
SHA1 hash: d8ec9e79259cb12c088a668afe34c4305f187c61
MD5 hash: a687593ca5cf9d3fee446f7925272818
humanhash: queen-queen-robin-double
File name:Invoice#577595955858.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'068'771 bytes
First seen:2023-03-03 07:40:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:PB0m0c8A4WdMLE8Q7P0A4iDruQzwXOhR0kLZFs7+:Z07c8r1E8rA4iDruQzwidi7+
Threatray 2'694 similar samples on MalwareBazaar
TLSH T1BAA523027ED1C5B2D6622C336A35A720797C7D601FA5CECF6BC54A6C9F221C2D6713A2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 79e0deceae80fc3c (1 x CoinMiner, 1 x NanoCore, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.87.63.164:15256

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Invoice#577595955858.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-03 07:40:49 UTC
Tags:
redline rat stealer
Link:
https://app.any.run/tasks/af18bcba-5276-463e-8377-5e7d3864c1dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371323/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm autoit greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6401a490fa4a461fbd256c27/reports/94449241-ea82-4df3-93d6-d62029b1e214/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f044f7ea-09e5-4c3a-bef9-84110334e6b5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186334
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819200 Sample: Invoice#577595955858.pdf.exe Startdate: 03/03/2023 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected RedLine Stealer 2->92 94 9 other signatures 2->94 9 Invoice#577595955858.pdf.exe 78 2->9         started        13 sokxsghrqu.exe 2->13         started        15 sokxsghrqu.exe 2->15         started        17 sokxsghrqu.exe 2->17         started        process3 file4 62 C:\Users\user\AppData\...\sokxsghrqu.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\Local\...\dc crypt.exe, PE32 9->64 dropped 104 Starts an encoded Visual Basic Script (VBE) 9->104 19 wscript.exe 1 9->19         started        21 dc crypt.exe 63 9->21         started        25 RegSvcs.exe 13->25         started        28 RegSvcs.exe 15->28         started        30 RegSvcs.exe 17->30         started        signatures5 process6 dnsIp7 32 sokxsghrqu.exe 1 3 19->32         started        60 C:\Users\user\AppData\Local\...\tcqsmsla.exe, PE32 21->60 dropped 98 Starts an encoded Visual Basic Script (VBE) 21->98 36 wscript.exe 1 21->36         started        70 api.ip.sb 25->70 100 Tries to harvest and steal browser information (history, passwords, etc) 25->100 102 Tries to steal Crypto Currency Wallets 25->102 38 conhost.exe 25->38         started        72 api.ip.sb 28->72 40 conhost.exe 28->40         started        74 api.ip.sb 30->74 76 192.168.2.1 unknown unknown 30->76 42 conhost.exe 30->42         started        file8 signatures9 process10 file11 58 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 32->58 dropped 82 Writes to foreign memory regions 32->82 84 Allocates memory in foreign processes 32->84 86 Injects a PE file into a foreign processes 32->86 44 RegSvcs.exe 30 32->44         started        48 tcqsmsla.exe 1 36->48         started        signatures12 process13 dnsIp14 78 45.87.63.164, 15256, 49698, 49702 MISAKA-BACKBONE-ASMisakaNetworkIncBackboneUS United Kingdom 44->78 80 api.ip.sb 44->80 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->106 108 May check the online IP address of the machine 44->108 110 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->110 112 Tries to steal Crypto Currency Wallets 44->112 50 conhost.exe 44->50         started        114 Antivirus detection for dropped file 48->114 116 Writes to foreign memory regions 48->116 118 Allocates memory in foreign processes 48->118 120 Injects a PE file into a foreign processes 48->120 52 RegSvcs.exe 48->52         started        56 RegSvcs.exe 48->56         started        signatures15 process16 dnsIp17 66 api.telegram.org 149.154.167.220, 443, 49701, 49703 TELEGRAMRU United Kingdom 52->66 68 showip.net 162.55.60.2, 49699, 80 ACPCA United States 52->68 96 Tries to steal Crypto Currency Wallets 52->96 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 07:41:32 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpnbjlof3xa4pxfkwnyy3usyaw4mbnza3odhq4k2ovdvjiqu4bpq._file
Verdict:
malicious
Similar samples:
136f87c6d9a1b61c87ba550c7f550e54d66a1b51dab1c803c43705f178ed9e55
RedLineStealer
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
RedLineStealer
592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
RedLineStealer
60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38
RedLineStealer
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
RedLineStealer
6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26
RedLineStealer
6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d
RedLineStealer
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
RedLineStealer
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
RedLineStealer
+ 2'684 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:ijele discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230303-jh4njaga9w/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.87.63.164:15256
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/08e1569f-e439-44fc-9e87-5cc2b731daec/
SH256 hash:
9c5bd61be4757744b42a4d9d88384c8b59964a7f28a1ef8e4a2e8c39dbf83905
MD5 hash:
5cb2d18964593130955a3d73cbb2856f
SHA1 hash:
52107800cc77524e608fd070040ebece09860849
Link:
https://www.unpac.me/results/08e1569f-e439-44fc-9e87-5cc2b731daec/
SH256 hash:
a1016def1e245571b77c0b13b34d920fb593c9da348732a6b8ccb8d94a41f096
MD5 hash:
fe588ca149b00d19f5c27f7e77d26366
SHA1 hash:
626e93b49fea9a56d28a4e7652a75fd0d658a8de
Link:
https://www.unpac.me/results/08e1569f-e439-44fc-9e87-5cc2b731daec/
SH256 hash:
c943f4fdc75e4bd31e2441c2f209b6e560be92e6ff975e3d9d1ea06ba42d440d
MD5 hash:
55fdb764e0f6cb8ce6e1d44ebe18551a
SHA1 hash:
78121b1bc8498cf0c6daf5b87d11897eba60bc67
Link:
https://www.unpac.me/results/08e1569f-e439-44fc-9e87-5cc2b731daec/
SH256 hash:
cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
MD5 hash:
a687593ca5cf9d3fee446f7925272818
SHA1 hash:
d8ec9e79259cb12c088a668afe34c4305f187c61
Link:
https://www.unpac.me/results/08e1569f-e439-44fc-9e87-5cc2b731daec/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbda14adc5dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021
Create hunting rule
Author:BlackBerry Threat Research Team
Description:Detects Unobfuscated RedLine Infostealer Executables (.NET)
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371323/

Comments