MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05
SHA3-384 hash: 80ee3cce876d451eea17977f374e737ed8b835d862f31a7e55a5aeb69f87c76fbd9adbb82a155075ed2f2adbf77122f1
SHA1 hash: 569d8d447e763b689cec0937f9a5c9ad5739b7ce
MD5 hash: 60500c59cbc36017d0b0212f6291e492
humanhash: robert-uniform-enemy-south
File name:60500c59cbc36017d0b0212f6291e492.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:305'664 bytes
First seen:2021-11-19 10:46:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8d57c6d7c1f3570e93e87f831cb3f7a (2 x RedLineStealer, 1 x Formbook, 1 x CMSBrute)
ssdeep 6144:DFMvj+Cu2kFQqVI1JtFJiD5ArDT8KRv61A2SipznJ97SGAn:DFyj+Cu2kqqVIh6eXT8j93G
Threatray 3'907 similar samples on MalwareBazaar
TLSH T132540102B7F18031D1F339302971E6B90D7F7C32B970419A6BA81B1E6DB16E05AB5797
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.168.100:38784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.168.100:38784 https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60500c59cbc36017d0b0212f6291e492.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-19 10:59:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1eb9de5c-431d-4bd9-bd69-c0f728787830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619780a943e8f62b669a405b/reports/156359ca-736c-4efc-b9a1-26b6ea2d7921/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19a9844c-4797-4a87-8b6f-568edb5d24a4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/892590
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 10:47:05 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xspwxxwkw6ddwmavwdbhe6c27f55vjrr6cbpuxxzh2sm7iwjqcq._file
Verdict:
malicious
Similar samples:
067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557
RedLineStealer
136b09653c55e04d3c4162c116bebb52dc337d62cdd69e2f0977fbc17e69dfd0
RedLineStealer
2f5ea90c14a9eff6482a7c7c020b9a65faebf7a98af718a1e3c9a3b2356eb509
RedLineStealer
5b933c3fb67bf55d52084d5007be89d7160bb138c5ff28a7492f0334241c0593
RedLineStealer
9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4
RedLineStealer
cc87729bab09fd3d13ceb36c1ea3ed112e7c1713a640ac4533c6f60f1a9640ba
RedLineStealer
ed786315c90cafc4e4b6fe237cebec8a8bd038b6203da8477d19ec8bbb9a09e4
RedLineStealer
ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868
RedLineStealer
f14f18ed96467a5005fd9bc67ff6b4a2c253a2438461880fff9d5cee2a26959d
RedLineStealer
+ 3'897 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1811 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211119-mvjexadbd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.216.168.100:38784
Unpacked files
SH256 hash:
32b581b32370d39e23c3ef09ee343ef0dd3c5b2a5a852da36d0ac5d4a943225c
MD5 hash:
230c4cbe02163550b3f7b0cf55697860
SHA1 hash:
9a14616eb3c594456c48bb19818f04c2f2ec4d2c
Link:
https://www.unpac.me/results/e94e4bca-cfb4-40cf-b2d0-fccfe248e7ef/
SH256 hash:
77027babe298e46885e1d3182f5bc34a1ab6bd2ae07d902e4c868a1c092209a8
MD5 hash:
fdb7485913262b8efe6cbea8029a09b4
SHA1 hash:
8caa8a8a0e5efaea224d25e0fb877fc9e08a0c56
Link:
https://www.unpac.me/results/e94e4bca-cfb4-40cf-b2d0-fccfe248e7ef/
SH256 hash:
6198042db49e0403f6c5dd514a596e186cd9780c35e80294bc727b509bf3f3d1
MD5 hash:
102658510d05e463f0afa0ecd5f3c8b5
SHA1 hash:
31b925feff6274124d2eb1ce5605d1ec321db045
Link:
https://www.unpac.me/results/e94e4bca-cfb4-40cf-b2d0-fccfe248e7ef/
SH256 hash:
d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05
MD5 hash:
60500c59cbc36017d0b0212f6291e492
SHA1 hash:
569d8d447e763b689cec0937f9a5c9ad5739b7ce
Link:
https://www.unpac.me/results/e94e4bca-cfb4-40cf-b2d0-fccfe248e7ef/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d5e4fb5ef655/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d5e4fb5ef655bc31d980ad861393c2d7cbded5318f8417d2f7c9f5267d164c05

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1800537/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207588/

Comments