MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1
SHA3-384 hash:	cbd1e1112bb7d976b0d64720b1ecdbbd88c386eb0a0bccea9207df61c99f99075b26f6d3125781845808561b1a2575be
SHA1 hash:	90f450aea2e832408f28dcd334e4fb6495284540
MD5 hash:	c8506720f9ed31ae15d1af032903e969
humanhash:	papa-romeo-november-zulu
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'184'376 bytes
First seen:	2023-10-25 11:25:20 UTC
Last seen:	2023-10-25 16:37:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bd3f0634cbec82d8869576eed2e4d590 (5 x RecordBreaker, 3 x RedLineStealer, 2 x Backdoor.TeamViewer)
ssdeep	24576:siHW9gH1dNmf0avZqZ7IZmLYTuQ4QROjFGL4:siV1dNmfiNv
Threatray	963 similar samples on MalwareBazaar
TLSH	T104457DE03584D031EDA3207746EC752592ACE8F4478661DFD2C42EFED61CAC1AE36B99
TrID	56.8% (.EXE) InstallShield setup (43053/19/16) 13.8% (.EXE) Win64 Executable (generic) (10523/12/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc828689496_665525231?hash=OZYw1xkPGfzZZ8uyeYa2GzeVcPcXrGGKdo6APT1NzbX&dl=lFs4Hc68aM6cy5y0DFNefHjJr60TBCGpeEEapC2OyZk&api=1&no_preview=1#1

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-25 11:38:43 UTC

Tags:

stealer redline sinkhole

Link:

https://app.any.run/tasks/26277789-4275-4c81-93b3-8e5a9d596b15

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456257/

Detection(s):

Win.Malware.Botx-10004968-0

Win.Packed.Pwsx-10012424-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6538fb4be3768e7905cb1a51/reports/e50bba97-ebc9-4146-8acc-883575d2275f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5dde6a59-b29a-4998-8fc9-e51d0825b43c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1331831

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-25 11:26:05 UTC

File Type:

PE (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=57ipyymoj7eabxralcqt7t4u36vszyhw6tqvas6jlija43w7edqq._file

Verdict:

unknown

RedLineStealer

0da921990e3adf5f4e1e222e4de086733839772aabd9caa954600baa797968c4

RedLineStealer

3678309c07aa88fbb969f0caa48df7a803e1d0b12a675a9d46ff6ef4157d4b6d

RedLineStealer

5779207515cf9fcdee8d4fc24b6c372f8dff076176467a2c0f5e67c50a556b2d

RedLineStealer

8910c865cc2f368e2272f48b55656bf12ca421d7c6d25aabf51a0c09925f4232

RedLineStealer

93408b4f53d8e6b1ed009ae1bb9e8e6e1f3bbf668b3d21489329fd8cc0005cc0

RedLineStealer

a64a66fb8f5d7700920d56b6363a8a61f40cc41216ce2a57e12fd665f9e31b69

RedLineStealer

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5

RedLineStealer

d1449c42ace6906787a0b0a491e4ade033bf8a7853277e952ba07794dc20b7ef

RedLineStealer

db223dd788a3053c01704bf2176730f34ea6ddf927724fa2a88a24587b8d2335

RedLineStealer

+ 953 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware

Link:

https://tria.ge/reports/231025-njt8psgh8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

171.22.28.236:38306

Unpacked files

SH256 hash:

18771aab0d37ea21e0176445b17b75d145d9fc688a185e50293242c829566a73

MD5 hash:

ed7e9a6e6ce54ff2fc91b83cb84f422f

SHA1 hash:

5cbab5f2f27eea11b4efcd984547bb6389f23069

Detections:

redline

Link:

https://www.unpac.me/results/2f630b0c-2465-4923-8259-43a5a0a40eb3/

Parent samples :

af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570
1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494
34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953
efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1
f57d924e1c1b97aba0abe02943b16850bdd22d5eb6c5f9df5acfc420994402fe

SH256 hash:

efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1

MD5 hash:

c8506720f9ed31ae15d1af032903e969

SHA1 hash:

90f450aea2e832408f28dcd334e4fb6495284540

Link:

https://www.unpac.me/results/2f630b0c-2465-4923-8259-43a5a0a40eb3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/efd0fc618e4f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/456257/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample