MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
SHA3-384 hash: 406c7ab3fdc4690de12e934b24f23b08827a9230a21c98222357d1d5d7c0d91e90ea0495095636a5259477e04be95490
SHA1 hash: 608a1957ba97441b9596732b2d00036e385b38ce
MD5 hash: 7970de1dcf66dff399befd012521bcd2
humanhash: arkansas-failed-massachusetts-illinois
File name:7970de1dcf66dff399befd012521bcd2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:380'416 bytes
First seen:2023-05-11 08:30:08 UTC
Last seen:2023-05-13 22:44:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dac3c11d45819b7994d02cd08167cb44 (1 x RedLineStealer, 1 x RecordBreaker, 1 x UACModuleSmokeLoader)
ssdeep 6144:FbpzO3LduTTDKtq7BqkyRC+lWAeis9hbM6zxoaQQ/7:RAJuTTtnyI+Ez/bM6zbQ
Threatray 5 similar samples on MalwareBazaar
TLSH T1D8846D2393A17C54E9274B72AE2EC6EC371EF3504F59776626189E2F05B02B2C173B19
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00089898a282c0c0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.33.182.70:18918

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7970de1dcf66dff399befd012521bcd2.exe
Verdict:
Malicious activity
Analysis date:
2023-05-11 08:30:41 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/69c5e495-8a5c-45ab-a77e-b9d21241b134

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388377/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/645ca7c84427eddb118c1060/reports/51318eb2-fef7-4d3a-95f7-5bdca982953b/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/530c73af-3558-4c7f-81e3-486ef19c483e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230648
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 08:31:07 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5v43mgmo7wmnsebgmrwfns34t2vmhapdccqf4y6uzcjghe4blldq._file
Verdict:
malicious
Similar samples:
3c11dac0621f47c72e6a68d8530a2be70fa11a2cffc05d04344d49f2b837f3bc
RedLineStealer
5657fc736fa541e5ce3a07785e09100fd93b178e57f4cac7b961e57a1b4c72dc
RedLineStealer
665159ba5b8aab3fe2196934780c26ee1e191b262cecc200531821590e68c2ac
RedLineStealer
72038bf643a6ee49d3eaeade91a2a87c88e86084f5593dd9929e49e3fd9d8732
RedLineStealer
ace69ec865ded98976cddfe028ed70b5fa60a0fd5c01f1996ed160ecd3d5c859
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230511-kep7eacf42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
178.33.182.70:18918
Unpacked files
SH256 hash:
af5d0d1bdcfe468a53aeea272d405b1edd2b1551060ba22892d768584af66c66
MD5 hash:
00872cce9b9c82fdbccaf8f87843bb8c
SHA1 hash:
8fbe95764fb565349eaf23700f7458c6da818170
Link:
https://www.unpac.me/results/35e68443-a44a-46e5-9480-f8b582fe8710/
SH256 hash:
002947895ec62b875c2916de0afb1d57b1f71abd2d6c76b6826d83586c9432b6
MD5 hash:
8e66c290e3974f86f2c26a2acf2c242b
SHA1 hash:
6fab2d7abddee63e3db67461f806bbd774dfcb38
Link:
https://www.unpac.me/results/35e68443-a44a-46e5-9480-f8b582fe8710/
SH256 hash:
a84133f404333d0059e6b6336346acbdee71c19fc316651a59b832d688cf765a
MD5 hash:
f6aa6e5bf12c39d45a450f9f17cde64e
SHA1 hash:
6cf7d0d5dbdbb1845bac91f236c9f2152fa58b3a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/35e68443-a44a-46e5-9480-f8b582fe8710/
Parent samples :
ace69ec865ded98976cddfe028ed70b5fa60a0fd5c01f1996ed160ecd3d5c859
72038bf643a6ee49d3eaeade91a2a87c88e86084f5593dd9929e49e3fd9d8732
5657fc736fa541e5ce3a07785e09100fd93b178e57f4cac7b961e57a1b4c72dc
3c11dac0621f47c72e6a68d8530a2be70fa11a2cffc05d04344d49f2b837f3bc
665159ba5b8aab3fe2196934780c26ee1e191b262cecc200531821590e68c2ac
ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
7ad4f4717e68ad2d2325c6c039c2b0875890ad9d0baba986d868535680591923
8a47d16dd380f046459e2fd1ebc636a1bba301d521587cc147b4240de545b20e
e29264d11a7be505c2d3a54b49287a98445d6084492d51a343646aa2004b02a3
cd4770d4203ebb6ba64f86cebc1dc41e73eedd471ba798f4d430f61dc1e91be2
8210f3c9825357f5c455a27d5b16b3d9aa63d676af5b63a99a8f6a0a7a216e2c
4085651e02ebe85c6caa4951e0f1fbc21f9c5e3d098d4bda3f3ed1d287d75df1
b49651616836ac1e4d564752217e790374aebcc45297fc3a7a8c5863b9a6cc47
b34b8166ac684784ba4675b56706a9c8f05ba3f4418b4fb67880bb09586e5a19
4ad18e97811de81cfe2a3051d49ccc86cdd6bc03db21081edbcdfbadd68e58b3
e7c9c79948e5fca5447d4dde753f80ac4c7345361b9556aa0dfea061bdbbd94d
cd255ffa7973cee8e0db0cdc9959a616ced95e020a8b92ad503ea309425de033
4d7d5bd7b576fdef5e4352d775bfdf41728477d805bcd1ad8fcb1a8dafac45d2
c00935c3d68d60908b67b83aba7887c4c9b214028af047f1444e2cbc4626ed87
d2d7fea4ea43332f4fb92fcb10ba54b255fb166c058290865d2532be0c6cea6e
bde14637586f65e03996e7a45ca13891ed4725c49bd9b1b95c0b640fba1ee867
9e168c82de9d5a9cfaca738e8a210dc756a6286264b73ef4c5d1ae32f6c25d67
cec777fb8c3d41fa7d7668691f44739b3657539f14ce7364033bbbc4d9d4b4ab
f0302c584d58d5d2d52d68651352c03789392669a38c3aa2ed505d4698a6f9fe
f1607f4a47e7b2fbbb8e6c5af2ecd4c85f85129b8724b1020bb6f13717aeb758
fe531dc9fc72351d60ee3f1641595ffc76789f282e7078a4b7553cb8d031260e
9aa24f45e364a29eb92748cfc1e318beceb909fa19b5b5dfe043a495fc5fd2d2
794cc354a71c5992f8b303a76a4378630d320d3711ada97664ab97b99e3604e1
cc3db2672c67361b617dfb0dca6396da949938d494e7d29e1bafda56263fb55c
14eaa5abc921931a75c1496d523556a91f9c9ff436dd9d1d1eb8dad74d7929c5
e81d2bf102d02b7e5f1d25b19b7ef18c2645c3059b8a9534ffff37c6a668be11
cf964698579bc9ea5e862771b92db9abc95ea18d94d6005c5dbc564336e927db
9c578140205c94ce1f94fb18b2a08bea1d1ef0323252fa81f2acce185c8e1036
28aec7fadc4fac6d849aa513024bdf78d4e69dba855f480354da15d9a24d950e
984541ecf749d574077ed9da7912cbf9643f2204c99b26cf843f278543317b94
d698ff2e1f16f44726ec9056282bb17e80a1303be426156e70063f440ff882fc
SH256 hash:
d7101261935e49f3c28026c52a9b626fa1862206c21465806c280d962a590774
MD5 hash:
3fdcdf9c2d3c823e3ff8edca6aecc502
SHA1 hash:
57c14f969c6e2103eac1e9e07fb1e688e645efc8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/35e68443-a44a-46e5-9480-f8b582fe8710/
Parent samples :
ace69ec865ded98976cddfe028ed70b5fa60a0fd5c01f1996ed160ecd3d5c859
72038bf643a6ee49d3eaeade91a2a87c88e86084f5593dd9929e49e3fd9d8732
5657fc736fa541e5ce3a07785e09100fd93b178e57f4cac7b961e57a1b4c72dc
3c11dac0621f47c72e6a68d8530a2be70fa11a2cffc05d04344d49f2b837f3bc
665159ba5b8aab3fe2196934780c26ee1e191b262cecc200531821590e68c2ac
ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
7ad4f4717e68ad2d2325c6c039c2b0875890ad9d0baba986d868535680591923
8a47d16dd380f046459e2fd1ebc636a1bba301d521587cc147b4240de545b20e
e29264d11a7be505c2d3a54b49287a98445d6084492d51a343646aa2004b02a3
cd4770d4203ebb6ba64f86cebc1dc41e73eedd471ba798f4d430f61dc1e91be2
8210f3c9825357f5c455a27d5b16b3d9aa63d676af5b63a99a8f6a0a7a216e2c
4085651e02ebe85c6caa4951e0f1fbc21f9c5e3d098d4bda3f3ed1d287d75df1
b49651616836ac1e4d564752217e790374aebcc45297fc3a7a8c5863b9a6cc47
b34b8166ac684784ba4675b56706a9c8f05ba3f4418b4fb67880bb09586e5a19
4ad18e97811de81cfe2a3051d49ccc86cdd6bc03db21081edbcdfbadd68e58b3
e7c9c79948e5fca5447d4dde753f80ac4c7345361b9556aa0dfea061bdbbd94d
cd255ffa7973cee8e0db0cdc9959a616ced95e020a8b92ad503ea309425de033
4d7d5bd7b576fdef5e4352d775bfdf41728477d805bcd1ad8fcb1a8dafac45d2
c00935c3d68d60908b67b83aba7887c4c9b214028af047f1444e2cbc4626ed87
d2d7fea4ea43332f4fb92fcb10ba54b255fb166c058290865d2532be0c6cea6e
bde14637586f65e03996e7a45ca13891ed4725c49bd9b1b95c0b640fba1ee867
9e168c82de9d5a9cfaca738e8a210dc756a6286264b73ef4c5d1ae32f6c25d67
cec777fb8c3d41fa7d7668691f44739b3657539f14ce7364033bbbc4d9d4b4ab
f0302c584d58d5d2d52d68651352c03789392669a38c3aa2ed505d4698a6f9fe
f1607f4a47e7b2fbbb8e6c5af2ecd4c85f85129b8724b1020bb6f13717aeb758
fe531dc9fc72351d60ee3f1641595ffc76789f282e7078a4b7553cb8d031260e
9aa24f45e364a29eb92748cfc1e318beceb909fa19b5b5dfe043a495fc5fd2d2
794cc354a71c5992f8b303a76a4378630d320d3711ada97664ab97b99e3604e1
cc3db2672c67361b617dfb0dca6396da949938d494e7d29e1bafda56263fb55c
14eaa5abc921931a75c1496d523556a91f9c9ff436dd9d1d1eb8dad74d7929c5
e81d2bf102d02b7e5f1d25b19b7ef18c2645c3059b8a9534ffff37c6a668be11
cf964698579bc9ea5e862771b92db9abc95ea18d94d6005c5dbc564336e927db
9c578140205c94ce1f94fb18b2a08bea1d1ef0323252fa81f2acce185c8e1036
28aec7fadc4fac6d849aa513024bdf78d4e69dba855f480354da15d9a24d950e
984541ecf749d574077ed9da7912cbf9643f2204c99b26cf843f278543317b94
d698ff2e1f16f44726ec9056282bb17e80a1303be426156e70063f440ff882fc
SH256 hash:
ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
MD5 hash:
7970de1dcf66dff399befd012521bcd2
SHA1 hash:
608a1957ba97441b9596732b2d00036e385b38ce
Link:
https://www.unpac.me/results/35e68443-a44a-46e5-9480-f8b582fe8710/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed79b6198efd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2621762/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/388377/

Comments