MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154
SHA3-384 hash:	15f349f2981653bd4e6fe6301b9df154f99f12a0c400283d1b57d1cf4a64efb7c60135d7ff4f94db0ee0f47326d22f80
SHA1 hash:	46b9c0570196add272162ef8df137829252a34b2
MD5 hash:	4167760c56a1356662f73c9798b8091d
humanhash:	ohio-north-blossom-pasta
File name:	detka4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	709'120 bytes
First seen:	2021-10-28 16:13:41 UTC
Last seen:	2021-10-28 17:14:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	046b07cdd38a5381be96e8c491f1cf3c (1 x RedLineStealer)
ssdeep	12288:y8RM7qmIj+JkbWqkWG66gEUqWxfayTJQhYudlfyOi6:LmIj+CQWG6WMa5Yud9ni
Threatray	502 similar samples on MalwareBazaar
TLSH	T13DE4CF39F717DC42E26C17B092E75FA41913D89632E048275BB24A197DB63E1BC2AFC4
Reporter	Anonymous
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.67.228.152:54641	https://threatfox.abuse.ch/ioc/130834/

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/200998/

Detection(s):

SecuriteInfo.com.Variant.Bulz.878307.16840.14373.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb8e37c6-0892-474c-b25f-5d7071304786

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/878754

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2021-10-28 16:14:06 UTC

AV detection:

13 of 44 (29.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3nreja2435ys4ji4vuq4ybm4p2by72yx75vvylzekx6g4fr5gfka._file

Verdict:

malicious

RedLineStealer

64f9f7fccc993e73cf2ad970c822c53e4b6830687af349f8d791037ccd8b3a03

RedLineStealer

858d2384fe0e2ed91c2e2400e4f58435d59989a0e209747004a0e63f898ba483

RedLineStealer

9b6a7db9202742073407252d5db59ded5b938f7c2e2383b00e87857f122be3bc

RedLineStealer

a014acb67295264a4f9ac982db6b65d858f259ca46dd92d836091ef872f78b7e

RedLineStealer

b8c3325bc497649787f113cee57f95a63ba7a06138fac32329f0b89814b848b7

RedLineStealer

b93c3342ed056d702f68cda57ccdd6ea92c34addac671f174e7070477cf4c156

RedLineStealer

ba60a173e1935175aaddd6a07759577fa82f0b47f2ae978e6d27f0185ec6e560

RedLineStealer

f8eaf4927a573dd810d0d51d0af5b72dfe12045dd7e84535ff9b636ec8f6dfb1

RedLineStealer

+ 492 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:space discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211028-tpm98sgfel/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.67.228.152:54641

Unpacked files

SH256 hash:

fd6c1c78955a16792d25aa79460d130c9278d353a3cd63d11e541e6818cc0836

MD5 hash:

e00b75978c9acc33238ba26ed6865565

SHA1 hash:

d102ec5c9a8ba094520eb975a27ab8fa10a645ab

Link:

https://www.unpac.me/results/61414c9d-e59e-4aaa-b748-2ed7b2e14821/

SH256 hash:

015a3c2f10cb6a46f4f2618a685ec00afcfc0529d108b278194e057272be05bb

MD5 hash:

89912a74b7f6cc22d9d7380ba5f02331

SHA1 hash:

94b981ab8b1283d868b85a0223c4d29893a1de25

Link:

https://www.unpac.me/results/61414c9d-e59e-4aaa-b748-2ed7b2e14821/

SH256 hash:

60e6b263acb72794d4b767b5994af5d80f57d7744fe390cc7e628756bb180a86

MD5 hash:

790cdc86bbf142011680cf15131a5892

SHA1 hash:

4cf51157c4ff33c9eeff46861cb1d97597bb4197

Link:

https://www.unpac.me/results/61414c9d-e59e-4aaa-b748-2ed7b2e14821/

SH256 hash:

db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154

MD5 hash:

4167760c56a1356662f73c9798b8091d

SHA1 hash:

46b9c0570196add272162ef8df137829252a34b2

Link:

https://www.unpac.me/results/61414c9d-e59e-4aaa-b748-2ed7b2e14821/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/db6244835cdf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/200998/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample