MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5741230e639ea52f1bb8cb9ea0d760ff6f2095878320f9a259871482638b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5741230e639ea52f1bb8cb9ea0d760ff6f2095878320f9a259871482638b72
SHA3-384 hash: 4fb86207a7cd80b67e839b94f30c33d133dfca3977f45643da144b07c79442dc52cf8966edbe1b80bc3404012bb42490
SHA1 hash: d6a3d29c6bf4cf89da2632bdc8fbd999e8274d6f
MD5 hash: b921c728977bbc8da6065b4fed4bc115
humanhash: mexico-solar-wisconsin-kentucky
File name:NordVPNKeyinstaller.v1.0.2023.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:557'056 bytes
First seen:2023-01-21 08:35:19 UTC
Last seen:2023-01-24 06:26:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08f94a6a65632f59161d69bf6ff449b1 (1 x RedLineStealer)
ssdeep 6144:oTqa+rypBCk+Fx7/BCttXZab6149nxB6qfs9u/O1aulvwdE6AegJpaijgBwTFg5v:Dr/IabNVf6qlO1fvwd+RjpTWamJ
Threatray 1'848 similar samples on MalwareBazaar
TLSH T15DC4AE5E3DF6C03BC271C0B08FA487D4A6FB9AA64D630A8B2788471C5E75D85C32757A
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13097/50/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.156.149:34325

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NordVPNKeyinstaller.v1.0.2023.exe
Verdict:
No threats detected
Analysis date:
2023-01-21 08:49:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77153aec-098c-46b4-88f6-4809449a607a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355298/
Result
Verdict:
Clean
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
explorer.exe fingerprint greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63cba3f51c9cbf7d6250ef76/reports/d008ade1-bb31-4e73-a8d0-b5d1f00b3081/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/61d3f019-0237-4104-a636-97f33669f829
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1156124
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb5741230e639ea52f1bb8cb9ea0d760ff6f2095878320f9a259871482638b72/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 08:38:26 UTC
File Type:
PE (Exe)
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nluciyomopkkly3xdfz5igxmd7w6ievq6bsb6nclgdrjatdrnza._file
Verdict:
malicious
Similar samples:
3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
RedLineStealer
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
RedLineStealer
75950a203bdbb89f997cecf909ef1221f9776efaf995d6fe8c108f29830a97a8
RedLineStealer
84fb9818cd2c3445b4d5441adb8363ba4795872cc0193afa0d5faadce425c527
RedLineStealer
99574d9f64bd750fd89fedefe1dce8bbbd81eeaf740140f7887e92aaf5fea53b
RedLineStealer
d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2
RedLineStealer
e1a5acda061debd043c819156a00f5e7a904a4a2c2a7bd9f888ca6fece353be0
RedLineStealer
+ 1'838 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:metacrypttest discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230121-khkq4ade8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
135.181.156.149:34325
Unpacked files
SH256 hash:
ee5d5165268b6536aabea10c460529a20b6e4cf0b64cc4aca5551d60b0930812
MD5 hash:
6cab7eb820d1bba4bb58544c14c89cf4
SHA1 hash:
c1b6ab5876bf08fd96c2cee38e824d1fea2d326e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f4c3ef31-18fe-4c23-96af-8af038bd826f/
SH256 hash:
eb5741230e639ea52f1bb8cb9ea0d760ff6f2095878320f9a259871482638b72
MD5 hash:
b921c728977bbc8da6065b4fed4bc115
SHA1 hash:
d6a3d29c6bf4cf89da2632bdc8fbd999e8274d6f
Link:
https://www.unpac.me/results/f4c3ef31-18fe-4c23-96af-8af038bd826f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb5741230e63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5741230e639ea52f1bb8cb9ea0d760ff6f2095878320f9a259871482638b72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355298/

Comments