MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
SHA3-384 hash:	4e3106e0c46ea4321ef9a43932488a87bb1ce493a0b7d733fa63e8362443d02d67e7e7be371b61a3605f47013151e36d
SHA1 hash:	8116775e15c54384355e1be23ef43c0210bc47e3
MD5 hash:	43d0366eb304481961796982f625245e
humanhash:	september-quiet-coffee-uncle
File name:	43d0366eb304481961796982f625245e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	431'104 bytes
First seen:	2023-05-20 04:06:07 UTC
Last seen:	2023-05-20 14:49:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9915252ab3bdca2ee2d4adbefb02c2 (6 x Stop, 4 x RedLineStealer, 3 x Amadey)
ssdeep	6144:/84MXK9A3iAG6kQtqG0tl95XjxXNkYH9Zpks7BC0OqTdKm:KXK9A3iHNQsnTXlXCYzbVCP6dr
Threatray	44 similar samples on MalwareBazaar
TLSH	T164948D0392A1BC61E9365672AE2EC6F8761DF9504F1937DB22086FEF14712B2C973316
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c088c8a4c0c8c080 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.81.68.115:2920

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

43d0366eb304481961796982f625245e.exe

Verdict:

Malicious activity

Analysis date:

2023-05-20 04:09:00 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/59e4e0ca-ca2c-45ed-bd8f-1db5236c9d25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29322.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/85890/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/646847668f4dae9ba92434ab/reports/5d9575ec-465b-4886-82b6-66a435a2e317/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14bc3ef2-75b2-4ebb-baf6-77cb380cfd14

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237844

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-05-20 04:07:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2eli2eog6dcgrgxosk74kgiagi2gsjoxr5l7ljicwxqrgcpj6ozq._file

Verdict:

malicious

RedLineStealer

1e6feb0749b0cfffd2e085d364667c6040cf008a59b0831a74c82db2256055b6

RedLineStealer

1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223

RedLineStealer

28da267cd03efdfd51d9580f406b4e79549b535747817b1d285a549a247258b2

RedLineStealer

727df79548ea43456317931d6d2afdc98a84856bd1d6779c0dac4d4bc5d3c49c

RedLineStealer

9893ec0e2902925018922ca40cc3495001dec4ccd32137cc13566c74bd1438e1

RedLineStealer

a0e4515ee2de51f5ff5a41b03fd7e993f075c889f297d63143b1620cdcf9d9db

RedLineStealer

bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53

RedLineStealer

c45d9ba24cf0bfa06a2d725ab02811c96025418d7dab9e7644310e512f98ee2c

RedLineStealer

f84bbac5444f77d81d4d3739f949d630b806957183aa1b797445ea35e9b0db11

RedLineStealer

+ 34 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230520-epmldada9z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

6d387b94e0120a94ab745ddd68cc5531b1137ec954afdf23bd3d4f571e36aa13

MD5 hash:

b976665d8b48fafb6a7d6dc535afd519

SHA1 hash:

59bcf224a78259bfe4cadb1c31407c574f2c22b5

Detections:

redline

Link:

https://www.unpac.me/results/3245c9a9-c6f2-4805-a416-b5cb77c3c9c5/

Parent samples :

0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53
1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223
d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
2f745b7e0fd4a560ae3519285a02388f8264fc2b68e3dbe217683515b65a754f
3101f6b59315da1a8b0024755a66e13319634e51bc695ea60361c1be51cddfe3

SH256 hash:

abc681771581e32e28a2873bc6c5fac1f22793524300c207e77d3320df8ff4ec

MD5 hash:

f16c9d9a049a0b987a725ef0ae618927

SHA1 hash:

5745600576f586b53b57d6fc668e7be0a4d0b119

Link:

https://www.unpac.me/results/3245c9a9-c6f2-4805-a416-b5cb77c3c9c5/

SH256 hash:

a785a5e1f0472823df00c77373037df82aa490ddc3b52b5bb1bc42629dcbf03e

MD5 hash:

1df5f40f2337d55b5c31203e3ba87efe

SHA1 hash:

5171dea6a222b51109d9f926629ae6cb785ec7a8

Detections:

redline

Link:

https://www.unpac.me/results/3245c9a9-c6f2-4805-a416-b5cb77c3c9c5/

Parent samples :

SH256 hash:

d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3

MD5 hash:

43d0366eb304481961796982f625245e

SHA1 hash:

8116775e15c54384355e1be23ef43c0210bc47e3

Link:

https://www.unpac.me/results/3245c9a9-c6f2-4805-a416-b5cb77c3c9c5/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d1168d11c6f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2604056/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample