MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd613a472ee444ebdabe6219452c6a31eff020d162eb079eb52141b018add9df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd613a472ee444ebdabe6219452c6a31eff020d162eb079eb52141b018add9df
SHA3-384 hash: 608ada520b5507164b3d6c4425ca7c6607f0dd80bfcc03f63b9795c2234ae37e6d6d7350b79ac7d261f2012a1bf86c98
SHA1 hash: fbc52093c33b489ae43333f1fefdbd79cc643587
MD5 hash: c19cb6fb47b51fd5d47548dfbe60568f
humanhash: purple-crazy-zebra-summer
File name:c19cb6fb47b51fd5d47548dfbe60568f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:435'200 bytes
First seen:2021-11-14 06:51:37 UTC
Last seen:2021-11-14 09:10:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d58d46cb4da553c2a028fd56457c4dc (9 x RaccoonStealer, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:q8JWreV2Pc9bUql+fJN0kJ4iZe6hJyG+S0kpznHWv9ezTbW6YJ9y:JWrSlBUZfJpXe6OG+S0qznHWvcbWhJY
Threatray 3'741 similar samples on MalwareBazaar
TLSH T1D094B000B7E0D035F2F756F44AB592A9B92E7EA19B34A1CF22C526EA47346D1ED30317
File icon (PE):PE icon
dhash icon eae8e8e8aa62a499 (3 x RaccoonStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205596/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.113.20503.8837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a UDP request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed wacatac
Link:
https://www.filescan.io/uploads/6190b2163edf00a722d33d1f/reports/f382fd1c-afdb-4403-91a0-941005fd6121/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb8dcc9a-e493-4f24-88e7-23ecc93fd5c2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888775
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd613a472ee444ebdabe6219452c6a31eff020d162eb079eb52141b018add9df/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 05:20:10 UTC
AV detection:
27 of 27 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvqturzo4rcoxwv6mimukldkghx7aigrmlvqphvvefa3agfn3hpq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901
RedLineStealer
6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe
RedLineStealer
8016197048d53acca6887b24cb17fc392a88ec3774f95d15693dfbf1004f497f
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
d89cd1fb0e4bbb77266c9142ae9433c8d2232406eaf8bffed325d5c65cc018a7
RedLineStealer
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c
RedLineStealer
+ 3'731 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:udptest discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211114-hm325agab9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.56.146.64:65441
Unpacked files
SH256 hash:
eb67a388dba708c47989e862e85a12233448649d905f222c2874b17af1932eb1
MD5 hash:
2f514191d8a8850e51255cd54e96de2d
SHA1 hash:
8305d1b1bee5e7cc01087363e182b7adb3a39800
Link:
https://www.unpac.me/results/1221c4be-9948-467b-b815-995020b944a1/
SH256 hash:
e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab
MD5 hash:
c1108718dcfb2b7a752e2c4c1e27659d
SHA1 hash:
59c7c4ca474af49a7fc77e58da554f02f9d68191
Link:
https://www.unpac.me/results/1221c4be-9948-467b-b815-995020b944a1/
SH256 hash:
a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c
MD5 hash:
988bab2529a6b385e407ba8ef050dc51
SHA1 hash:
3851cb15de623f44d62581e970ab183d8ed4769c
Link:
https://www.unpac.me/results/1221c4be-9948-467b-b815-995020b944a1/
SH256 hash:
cd613a472ee444ebdabe6219452c6a31eff020d162eb079eb52141b018add9df
MD5 hash:
c19cb6fb47b51fd5d47548dfbe60568f
SHA1 hash:
fbc52093c33b489ae43333f1fefdbd79cc643587
Link:
https://www.unpac.me/results/1221c4be-9948-467b-b815-995020b944a1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cd613a472ee4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cd613a472ee444ebdabe6219452c6a31eff020d162eb079eb52141b018add9df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1582746/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205596/

Comments