MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1
SHA3-384 hash:	36841872b62cf708ef570151320088342524d3650f012db90eefab2a20e964b8409b9469f9f2a806967ee3759be6cf16
SHA1 hash:	f344935d7fbd249cbeeb335008b566acf6c2aba7
MD5 hash:	e05c1119d5fc329d3b67660ae9b4bee4
humanhash:	cola-juliet-item-cold
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	239'616 bytes
First seen:	2022-11-16 12:04:24 UTC
Last seen:	2022-11-16 12:11:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8c8508edec1c956004908c27f8edc2f4 (11 x RedLineStealer)
ssdeep	3072:VT/9OFy4kX4rRFyJdBA/V0BV8lUkOnFXpnahpDI6RFlScQqiBAXgV0Bx92eedDyc:V8kXQ1gMqFl2cMlScQq192e+CfFxw
Threatray	1'384 similar samples on MalwareBazaar
TLSH	T166349E17FF20C020C635E0B374A14A59B22D5931E6DC6E136B2E867A5FF36C2723A45E
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-16 12:08:21 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/9cb34857-d8c3-4497-9404-8baefc1f67bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/334817/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6374d1f24cfa4744015c6505/reports/f3ebbff2-540c-480c-a3b1-6cdd1e9292e1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6969f20-4535-4aab-a69c-2f5d5e56c49d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1114811

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-16 12:05:09 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=55pl5v2ykuoocjtoj4ymuyaq4fi7nrpg6hqhjckj3ue5bnbhc3qq._file

Verdict:

malicious

RedLineStealer

35eb9ec64a57f6bc8538e6b1425acd4e62258739f862ab0512fdee87833abbbe

RedLineStealer

4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d

RedLineStealer

5bb88e08c1a08871a99adce0f3ae6f34c855c460f0ac77437cb4c73235824ab7

RedLineStealer

9c1d7d6a607fa18e54a87c712d2b5cfdfcbf0ab8a337fa576ad2fb0877255e31

RedLineStealer

e6d302a4849a5b211fb5351a4ed83bb2c337ad21bc78dbc7fe64482eea22edd6

RedLineStealer

+ 1'374 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:711 infostealer spyware

Link:

https://tria.ge/reports/221116-n86yssed2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.110.203.100:32796

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/415ab6de-4812-4f5b-904b-f98119f4a9bc

Unpacked files

SH256 hash:

6bb44e4339951fcfb2013e7d6e85afe72988e8d4b0229cc810c20753bbae63cb

MD5 hash:

886bff907b9e1fd1cbffdaed75db55b2

SHA1 hash:

d08b7c62f8d610b3826433700101f2dfdb9fb39b

Detections:

redline

Link:

https://www.unpac.me/results/371dd482-a0a0-4499-9361-dba82c726708/

Parent samples :

cc285423b687fee9ac81af7fe2e1c44edb440f2d141bd06f587562bbecdcf4c8
1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0
e0a8b7625ae37474dec9abd9ca3bcce1579ad5298d73e3bf6216fe6c301a21f7
0cb1bd5e42c2c36180da286a6fea506828bca2b52ce90a33efa79b2a1bbc087c
9a635290353b8d1a64f58c5d0a84a474aca0bed55f6924aa8ef639138f2f3501
40bf6081aba422e4a8e6f7c28e37862db5a55a9b2f7fc91b0dfc338a8c118b61
47e4f1702bdb782cf54bc63ddfd4d3ab8c914401ec04753b1ce0467e9af8a0df
3a954a6d5b0dab1a3cd72abc9922ac621faa9ffeec1cbfd30387f9b58ff0524c
487f692d4542dbf36326edf1a9dc95aa79766976ffa216ada919608607115f07
0aea55e208c4bcca4ce15ed0cbf9da28dd9a673c81b2a6498120cebb1d91df00
02037c6c2f167c6d8a644eed10a3230a030794d44f199b123118991d847320cd
cc03302457a0f8306587c3cc985e34de489419c910f1d91b008f4e435cc19a25
c19eece37b3f121921955fa412ad6b48877f8267b5736254f8b08a7182c80fb7
c6540305bd436857be3a8d27add6cc8da08d32c156846f30369b9baf012bb13c
c9192a00936786e367fe1ffc605eafc645c4bc3dcc66987772a8def633235468
bc7381a7248b4a546acf4944e549080fad811acbf1b22a07a3469ea0559faa62
d6841d2cc49083cd7cb8f193d2472bcfa3047a9604862e488add1a62ccae3b3b
8a95bd48d2584a749fda8738ec81175f9599b73c6ab873e92177287450df8fd9
391a279a73e83e2bb74cc101dfac06934a7557e45b0bdcf6e936638933b7642b
bd862ccdb4efe187742367ac2aa0862d96747a1f066ff8d2fb356712f14e835f
3e51fae8b429b5bb30d61a5efb5357020eb378f5b83e1e913349d737ebe0bd10
1de1be30fe540a3ec2668c30563484622da5359180d635842e30013d036b7f21
7364c1a162c1aba59448972e7a1586925cc2287dd02476acfe909bad9c2e9798
82ed847ff151260a02f9c9ab127186e7778bd6a92e7c29f7064f4eb93544cb5a
eeffec5de4713c770dbcb8c37102766f46c6e0472d69945cb75bf6ce4828e695
48709413d8861b47cf9e5b2ad93fdade7a287c7ad09b406a133457b1ce4b4049
23a9ebd6ecd7cfe183feae9a59770946eee29c879c5e04f7f8124c69122851d2
41b50ca266a53fcb5dcb9823614f6d0089f1234997cfee67b2d2283905a79056
89a4671154cbedeef33f82bfca8024cb818c413e136eb288a25cc026a6c763db
a07ecabb9993e542834dab5498e7ab394dce0c9bcc02b186aebca710e8969db0
81173b89b99d19283f9ebe3ee7e2aa13070618cbb1d9d7c96a2bbf8be985dc7a
640c48fb023a7626bf4f85e38ff1ef0101a56a8935c5d2b3281cf7bc62dfcf1f
cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c
a97dd2d4430e1f045564b591154d3537eb3d07def924533c62d8fdc8577cd89c
e0b552b692edd10e64e50af22ca59ca13166e42f31011c38a491505a42fdc901
4eba84651f9277848e81305df8d9cf6ed26f2a46d872a553f71615fcab13d17e
10b4fab1fd21031ab0c60827c213d57e36aaf3c24252dfa9fcc1c68134ab9637
238154fbeb8c1e9044badca46b9b98c1daf21bbea74b49b5a9939247c437bbec
f248e10c0133de41a9a57fe904c065124b884f664d1ddf5d62c6284301a850b4
a1897916acce8b810ae11ed907d77d5bf7245823ac832a1603dad73d7f552ecd
ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10
a4f1cc0fc562132d002fb992a4552dee7e75c26343be8611c9f9bc6b2d68eec6

SH256 hash:

ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1

MD5 hash:

e05c1119d5fc329d3b67660ae9b4bee4

SHA1 hash:

f344935d7fbd249cbeeb335008b566acf6c2aba7

Link:

https://www.unpac.me/results/371dd482-a0a0-4499-9361-dba82c726708/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/334817/

URLhaus

https://urlhaus.abuse.ch/url/2403396/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample