MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84
SHA3-384 hash: 8dd8aeadac9c437421b5c195f527c90c6dd35f6f76d5640a206d34502620342e0282e26bee1af1d69cd1dbec320f7ad0
SHA1 hash: e36c8d00c1000ccc8caccbbaab2be92ca137007a
MD5 hash: 5cbb7d5ad4093165191596a1f3c6007c
humanhash: crazy-double-hotel-east
File name:5cbb7d5ad4093165191596a1f3c6007c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:396'288 bytes
First seen:2021-10-15 15:27:36 UTC
Last seen:2021-10-15 16:11:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 470518591ed4a5fa094199423463cb10 (1 x RedLineStealer, 1 x CryptBot, 1 x DanaBot)
ssdeep 6144:2ceWpHyGIoGNnOU8TmSq9q1uwrgdftNJN1VyalBUhT4lq2Q/kPKY:ReEyGtGROmlkQftzN1VyaqT4ltvPKY
Threatray 2'842 similar samples on MalwareBazaar
TLSH T12184BF00A7A0C034F1F716F54ABA93B9A53E7AE1673491CF12D526EA5B386E5EC30317
File icon (PE):PE icon
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5cbb7d5ad4093165191596a1f3c6007c
Verdict:
Malicious activity
Analysis date:
2021-10-15 15:41:24 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c2aa63a3-4f20-4f00-a704-a74408200a05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197787/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.16444.10457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61699e05db358dd15eb9e135/reports/259f97d8-86d8-4408-ab1e-768060c87439/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ff879e9-1c62-443c-a006-07147300b9cc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871225
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-15 15:28:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hmd6pbqmwg576pp3btna233lwz6bomzw2m25lkd3zf2hvxd7sca._file
Verdict:
malicious
Similar samples:
1bbc078db5d1d7f8003ac55c86d5e925d50cd79ce2b4e1b95cda63b5242f000e
RedLineStealer
5ced62a4d85fd3bd2eaa51c44e5b08c4f57672de89782fc8a002172db3e8ed2f
RedLineStealer
665b0cd8dfe3967ce59155497f7226118f0b840b2c9a8361bd1ae3630698f3a4
RedLineStealer
93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23
RedLineStealer
a1c2a8d328a756b25f0f871843dd68cf12f266291f9764523d9ed1d909e43a22
RedLineStealer
aa380d5239ccf0409993f7cfb4c2345d2364f3795398de00ea5b2db86e9a2cbb
RedLineStealer
d0dda5dfd52eedeb0c31cc69428a488f7af8f66e6c3a736ff88c6ea1c8ebed35
RedLineStealer
f934020452d58f327c22060903f625f8b9b39429afad32dc05faf58f4e3f32f9
RedLineStealer
+ 2'832 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211015-swcawabbb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
37.228.129.48:29795
Unpacked files
SH256 hash:
2b580bef9687ce1ac43ce36d86da6c95a0673c040c74e6854b94a258399ee10b
MD5 hash:
f7fd2c3f4ca13720d939a6ea97d274a8
SHA1 hash:
7b73809a2d8a7a6d4db7434ec0844011060cbe1d
Link:
https://www.unpac.me/results/24c37f41-012e-4763-a426-00bff6a8d208/
SH256 hash:
750d494160bb549b3161bb320e711c038e02c62f0747f06761fc7e1434c9600b
MD5 hash:
f5f6f26cea37124d9a592a3d0cc638f3
SHA1 hash:
398c0139c9b7db0de1d566747cc9977c385086fe
Link:
https://www.unpac.me/results/24c37f41-012e-4763-a426-00bff6a8d208/
SH256 hash:
84fba1208ac10a8f93273fd161788db8c3a051fce6c164c7518e00cd29a9f875
MD5 hash:
e244e72cb30dba89114f178fd08c1db9
SHA1 hash:
03467db09e3fa27c49da7c34e5aad3ee059a324e
Link:
https://www.unpac.me/results/24c37f41-012e-4763-a426-00bff6a8d208/
SH256 hash:
f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84
MD5 hash:
5cbb7d5ad4093165191596a1f3c6007c
SHA1 hash:
e36c8d00c1000ccc8caccbbaab2be92ca137007a
Link:
https://www.unpac.me/results/24c37f41-012e-4763-a426-00bff6a8d208/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1d83f3c3065/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f1d83f3c30658ddff9efd866d06b7b5db3e0b999b699aead43de4ba3d6e3fc84

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1666143/
Cape
Cape
https://www.capesandbox.com/analysis/197787/

Comments


Avatar
zbet commented on 2021-10-15 15:27:37 UTC

url : hxxp://103.159.133.159/store/items/sefile3.exe