MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61
SHA3-384 hash: e734fc24e956ee1b030bb3543c4eb3b4587b5142e5edf76afd018cdfbb425ed0eb067a1fa9367ca8270e5ce5133b7dbf
SHA1 hash: b5283cc3dde4721d2178a530890869a9a128fb88
MD5 hash: 443d0b0ec795ab90d32883d74224e45a
humanhash: butter-harry-florida-colorado
File name:443d0b0ec795ab90d32883d74224e45a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'546'589 bytes
First seen:2021-12-03 09:51:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:udKY2BkXljPQT0i1sZwIX+BVtzHbIKYDqGVqtvo01WEajhUG:udKY2aXljYm6IXI3DbIxGGVmvRmjhUG
Threatray 314 similar samples on MalwareBazaar
TLSH T189C5339376A09B7BE4A3037921C87638BBF5A6A10F1790D7F72C49092D20BD477B8587
File icon (PE):PE icon
dhash icon 6192a6a6a6a6c401 (17 x RedLineStealer, 11 x PythonStealer, 9 x DCRat)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.59.82:52712

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.82:52712 https://threatfox.abuse.ch/ioc/258829/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
443d0b0ec795ab90d32883d74224e45a.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-03 10:50:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3583aaa-0754-4fb7-b5ba-99cf9cff8e6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210982/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/636/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/61a9e8c847ed217c012fb9de/reports/20becb9b-7913-4c0a-9b30-fd36a119ee32/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a717b560-8007-4066-a339-9c7c4faba6b8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/900758
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-03 03:46:10 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f4d2kohqnplu5mpdhr5tgoi2iseuziluldwcttmxt3ysxbvrrqq._file
Verdict:
malicious
Similar samples:
19c5bbe3666c5091df78c6fa71f9c84798d42d4a8386aa6de4c38a67a661c100
RedLineStealer
2e150d7c07b1e33fec7acafa7c4d556c01ae2a8b41d67a80996bda3e71a312dd
RedLineStealer
3a48f675be894ad3fa2c9d0f1ea37ccaea20ff71d4381dc4e09804bc455a2d12
RedLineStealer
4f1af996a6a32b402d0b75a37f4412d3e2b6502ed95a4055e8a2313f83543cfa
RedLineStealer
6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0
RedLineStealer
955c3dabe6486e6e66a2796c175aeef0830c8047eae3501c3c9823985d11bf43
RedLineStealer
a832cae5c8de458edf6a4604d3e0e19fb74300baaeeb212227330df9e7927088
RedLineStealer
abaaec80f4b0d2fccb5b2c09869a9f86628b987f7369abefce67108dd1982595
RedLineStealer
+ 304 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:hiisaa discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211203-lv39msbae3/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.243.59.82:52712
Unpacked files
SH256 hash:
1893804ae5e178169ae73570b319c45781697258944063938f6be7389b177dcc
MD5 hash:
b882c4751324259d692170d861b8830d
SHA1 hash:
596c359871ce0c2c37894943596be8a014486340
Link:
https://www.unpac.me/results/5a251098-197a-46e6-a76e-be99e966973f/
SH256 hash:
d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61
MD5 hash:
443d0b0ec795ab90d32883d74224e45a
SHA1 hash:
b5283cc3dde4721d2178a530890869a9a128fb88
Link:
https://www.unpac.me/results/5a251098-197a-46e6-a76e-be99e966973f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d1783d29c783/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210982/

Comments