MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6
SHA3-384 hash: 468eaa60f3e6318f21913ee55b219259a8d4cbe9d30d8a497c489cad6829a720b15043cc83c27040ee45cf6be36087ab
SHA1 hash: f21882a7edd86b51f0759816ddce92654e99a1a2
MD5 hash: 2914e85be35c8f9fd82dfc300f6eea5c
humanhash: queen-island-hawaii-green
File name:2914e85be35c8f9fd82dfc300f6eea5c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'776 bytes
First seen:2021-10-30 06:48:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:a5oaqjp/9TYxFrHXj5W3WEMUAdiEaOQoY+YM+E:a5v4DTYxFr+WECiEaOLwM+E
Threatray 1'724 similar samples on MalwareBazaar
TLSH T13BA4F06772E01199DBB446F6C9620706E670B8721710A3DF2BB817B71B1B4D99F7C3A0
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Malware overload installer.bin
Verdict:
Malicious activity
Analysis date:
2021-10-29 18:47:05 UTC
Tags:
trojan rat redline evasion loader stealer opendir vidar formbook raccoon malware botnet cnc-server
Link:
https://app.any.run/tasks/e1a857cd-bc4a-421a-ada3-c85856252aaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1e5afc0-23a6-4dd0-9011-5929ddd79c78
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/879725
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512158 Sample: PK48ObtKys.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 54 35 Antivirus detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected BatToExe compiled binary 2->39 7 PK48ObtKys.exe 9 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\553A.bat, ASCII 7->27 dropped 10 cmd.exe 3 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 41 Uses BatToExe to download additional code 10->41 15 extd.exe 1 10->15         started        18 extd.exe 2 10->18         started        21 extd.exe 2 10->21         started        23 extd.exe 1 10->23         started        process7 dnsIp8 43 Multi AV Scanner detection for dropped file 15->43 29 162.159.133.233, 443, 49750 CLOUDFLARENETUS United States 18->29 31 192.168.2.1 unknown unknown 18->31 33 cdn.discordapp.com 162.159.130.233, 443, 49745 CLOUDFLARENETUS United States 21->33 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 20:40:22 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22lq2apr6dvrcdr34sbx6zygfmt3z6mwb62n5sseq6dcaggghpla._file
Verdict:
malicious
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba
RedLineStealer
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
RedLineStealer
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
RedLineStealer
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
RedLineStealer
96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
RedLineStealer
ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 1'714 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer suricata upx
Link:
https://tria.ge/reports/211030-hlc5babcfk/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Unpacked files
SH256 hash:
d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6
MD5 hash:
2914e85be35c8f9fd82dfc300f6eea5c
SHA1 hash:
f21882a7edd86b51f0759816ddce92654e99a1a2
Link:
https://www.unpac.me/results/d9e2c654-0f72-4c36-92e5-e7b15a6251a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d6970d01f1f0eb110e3be4837f67062b27bcf9960fb4deca4487862018c63bd6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642879/
  
Delivery method
Distributed via web download

Comments