MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528
SHA3-384 hash: 92a8ceca4ec40101dea3758ea2f73ade51a4e3a7063f4463d122484adcde6cce36896f6f36c11ebbbb1e477c535aa03f
SHA1 hash: e135d4a8ec8d5c3634eebf3e021cce3125e4d84f
MD5 hash: 884c251b9d315d72bc5577eb72c7e79f
humanhash: neptune-oven-emma-mirror
File name:Fortnite hack.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'272'149 bytes
First seen:2022-05-30 16:43:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0629c55152d38b4029f7de8a08e08d5c (7 x RedLineStealer)
ssdeep 24576:Lj7cfHzaaqQZW9xV/ZirUnyr0hom5o14uQ5p3h35DZ:r4+3U0hom7
Threatray 148 similar samples on MalwareBazaar
TLSH T1EBB509136A8B0E75DDC27BB461CB633A9734FE30CA269B7FF609C43599532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Fortnite hack.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 16:42:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/37a593fd-6177-4358-af3b-620159395780

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275533/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.88287.31129.22794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/6294f42fabd12523508648bb/reports/189a756a-ca8d-43f4-8b98-e81a777607d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29f132b1-3e6e-4cb1-a158-105f116395de
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003786
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528/
Threat name:
Win32.Trojan.SpyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 16:44:10 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bzt43ldzskfgbnazv5kck4gw5oqy2ca67m6zbj2zi3zyggceuua._file
Verdict:
malicious
Similar samples:
05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
RedLineStealer
53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c
RedLineStealer
8101c71c2c31df8da09ed7dd55da9bbd949b028f8f54f0e1cbffab82b192ed87
RedLineStealer
84858e95dcf7fe3cb43f819f8b496ecc1b44e6f4ea938fb00b0b5c117e9b4075
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
b3bed1dd25d3031b2d951cab09c87524e022c3cae334e627e26b68e7fb7b9770
RedLineStealer
c3e1e5ecdab6126e17bf88fbfee1cd7141d0cbf8f80d939632b479448aec681a
RedLineStealer
e2f406a64288fc869e73312835ddeaab6b70ceb8d02661eff96a7a98dc5f261a
RedLineStealer
e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917
RedLineStealer
e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38
RedLineStealer
+ 138 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer upx
Link:
https://tria.ge/reports/220530-t797qacbb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.83:60722
Unpacked files
SH256 hash:
f98150f687c1c69c2c08997e2f52fdec847a3f2c8c8d583de1fbdb537e85499f
MD5 hash:
2d3a6f3c270012e1a64a9d048e59920b
SHA1 hash:
813a9fa416523551d1c60e80b38a4c79433391b8
Link:
https://www.unpac.me/results/0ef4e9c2-c844-44da-a9e1-cf8955584dbc/
SH256 hash:
d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528
MD5 hash:
884c251b9d315d72bc5577eb72c7e79f
SHA1 hash:
e135d4a8ec8d5c3634eebf3e021cce3125e4d84f
Link:
https://www.unpac.me/results/0ef4e9c2-c844-44da-a9e1-cf8955584dbc/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0733e6d63cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/275533/

Comments