MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d73e345744ece31d3f0a53d6562088d55aeac0204dc3bb622636a1c035f78add. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	d73e345744ece31d3f0a53d6562088d55aeac0204dc3bb622636a1c035f78add
SHA3-384 hash:	d8bfe36a07140a3c364158c16e277697501488d7cdce78d14238b5ecf61cea3984c7bc2d5cd2bcb3329fd26be73aa7ac
SHA1 hash:	f7ae25c959415d894b304a224eb0ba4ceeb89831
MD5 hash:	65a3fbfd5e0f3315dab6c712b07fc24f
humanhash:	tennis-nine-april-two
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	284'539 bytes
First seen:	2022-12-07 11:07:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	696e5d477735b6019869b6f92381eb95 (5 x RedLineStealer)
ssdeep	3072:jLjO5+joIbk5zPhvW9y8SnxBay4ROncP12/yx+UX6gTW5+CxO:jLS5+joIb8isYvROne1zv
Threatray	1'785 similar samples on MalwareBazaar
TLSH	T175541A41F260AD8FFCEDD33EF436AC56CD3A2AA92160EB9E85B0F945D3254A5C072453
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://185.104.115.33/lyla/versionl.exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-07 11:09:06 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/45494891-fa63-40ac-b03f-132094dfcaf6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/343815/

Detection(s):

Win.Dropper.Doina-9980364-0

Win.Packed.Generic-9980374-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Connecting to a non-recommended domain

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware overlay packed shell32.dll spyeye

Link:

https://www.filescan.io/uploads/639074159a505ad9423dd816/reports/5e5872ef-93ee-4ad8-852f-8fd4d4c4fc4b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d539b35-7fea-4dcd-a69b-eb75936d844e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1129806

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d73e345744ece31d3f0a53d6562088d55aeac0204dc3bb622636a1c035f78add/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-12-07 11:08:10 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=247div2e5trr2pykkplfmiei2vnovqbajxb3wyrgg2q4anpxrloq._file

Verdict:

malicious

RedLineStealer

38a4aa886e31b053da14946bda69bffcdbc9278c95d943d5f8b16bdf5a3e3915

RedLineStealer

3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

RedLineStealer

4743bad8f6939aa7645a043208010c2a9e75fbbcbbc8ca597a0c2a74ce7b6cc0

RedLineStealer

6ae110bb6a1d79cc8090a55f52e0634997e378c13354d026c8443288942935f0

RedLineStealer

80a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6

RedLineStealer

a3679e6c9bffd5313696c15aea5074be0aa0533ee1b6419ec06969a720be6951

RedLineStealer

ade9baa65fd2f2c84d7842d6a6e5a6b8b9ffc25fcb0df6490e8d3437db9a84ff

RedLineStealer

ce39502ba085a84bf604550ba1474f803cd60e09d1cc4091836aedf878942ea1

RedLineStealer

d055262ac43d24875d47d55dd8214a9c9844c6e42f4b42e3cec11f7f0abfea3a

RedLineStealer

+ 1'775 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lyla infostealer spyware

Link:

https://tria.ge/reports/221207-m8kvwsea9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

Malware Config

C2 Extraction:

77.73.134.15:3585

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5af0f05e-abd8-44e0-b84e-a08ed0301730

Unpacked files

SH256 hash:

3b3050f3c52405934781c6e2ecdf00c573cad0f2211722f7ca6b62992b0e386e

MD5 hash:

ddce87c997bc9a3cb9f33c4e537b0bbe

SHA1 hash:

8a855581c8b623ef0d007adef6fba0885f251084

Detections:

redline

Link:

https://www.unpac.me/results/e667b8ff-b6c4-4d49-8265-b97688ef7d48/

SH256 hash:

d73e345744ece31d3f0a53d6562088d55aeac0204dc3bb622636a1c035f78add

MD5 hash:

65a3fbfd5e0f3315dab6c712b07fc24f

SHA1 hash:

f7ae25c959415d894b304a224eb0ba4ceeb89831

Link:

https://www.unpac.me/results/e667b8ff-b6c4-4d49-8265-b97688ef7d48/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d73e345744ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d73e345744ece31d3f0a53d6562088d55aeac0204dc3bb622636a1c035f78add

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/343815/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample