MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
SHA3-384 hash: bbcd8c7d42611d00c79b44344d384087aeeb66f0e7d9d66cae3a9b2c2b84f2be0dfa8cee84f5d656aa80ea13b5458153
SHA1 hash: 3e954e4030869d99ecbaf6503acafd1ef4a81dbf
MD5 hash: e0888920ecf5282f98cc62836905ecdd
humanhash: hydrogen-london-robert-oscar
File name:e0888920ecf5282f98cc62836905ecdd.bin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:566'272 bytes
First seen:2023-04-12 11:16:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:C2iNqgIbuMjFxhqrvhf1TP2TmQs2e9hpqW7dwY5DVjuAk1aGL:C1wgWvhQvhfdP3LqW7Tvju3aGL
Threatray 30 similar samples on MalwareBazaar
TLSH T1F6C4F1B943D0C74DD9401FBE5A04188C27FA99F9C4D8DE4ECA6BB0CB5EBC3618154E6A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
107.167.69.80:28253

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e0888920ecf5282f98cc62836905ecdd.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 11:17:11 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/70670628-e3f6-4b8e-b2d3-59f056e6ef70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381759/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6436932ff9f16cdc5d2e0ed3/reports/e7581b14-ceb6-4035-b6f5-12a740a9dc74/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1171a9d-4dbe-45f1-bfe3-22fbaee40cf3
Result
Threat name:
RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212473
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-04-12 11:17:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6v2tnow7fbmmgtbqdpa727rdpipxadz6jddfmpg7jlncq7irkhza._file
Verdict:
malicious
Similar samples:
0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3
RedLineStealer
1d507bf363414ee632d706b9c53f5351715c641585a54c9cbc93f82c880fda02
RedLineStealer
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
RedLineStealer
285f52c66b141680b77dcbb20f42a4ee9fab83815bd7c47a0e3cf581dad1404f
RedLineStealer
3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36
RedLineStealer
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
RedLineStealer
84276cf4e302cf1bafbc65f6987316dcd7842e73e107fd58c476127f3cf34c03
RedLineStealer
a1e44dff73b4a8616ae1b39f3ecf82b457859f3aed8b208ae41e79d7d79c5ef2
RedLineStealer
e68df2087331bc53cc8df1fea6ccabb8fd68ce31e9b5a6addbb6bc9036988c51
RedLineStealer
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
RedLineStealer
+ 20 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1379752987 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230412-ndpe9sbh37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
107.167.69.80:28253
Unpacked files
SH256 hash:
bf8688c8457e19c0855c17de9eb4e231c33eee9f4ae10b564fcea9440728c8c7
MD5 hash:
acb4fec4bd94b33b98807d0dd8753c59
SHA1 hash:
191c9cee012689836e09e1ffddf3f740151c5e2d
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
c3c2c0fc37ccd90107677ab60de0dcea254a13f56663ec4adc1a0e7740491d1e
MD5 hash:
833af66487f635f6098e908fce7015a9
SHA1 hash:
b1704eb9ede86a5d714b9e6e3f5e07d6fed86299
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
07b1a5fd4da3b8a526a70c3fa7cde55753a66a5e6281b4a8503ebfa98ed8d22a
MD5 hash:
644bb373629649e6adeb217009876d5c
SHA1 hash:
9d4eb669d2cda15ec0b94194ba8405329427a040
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
d7d1c1b5fcf92bc215de763032eb94525780d8c202624c83b9c737690e8ba9c0
MD5 hash:
0af0c3572f4d3a6f584d0882bafc3c30
SHA1 hash:
72f738dfbc4f4a030a1fe97c7f39de43d42f5cf4
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
313e0c33c3815ed0b7e2afff8852027e17cf3b187a7ac1d861a80e026c770de4
MD5 hash:
e6f6019d84e912eba66189e1232ff0c8
SHA1 hash:
48cbd94aa1b63e4858d23f27bd4416c9d2c8933a
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
SH256 hash:
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
MD5 hash:
e0888920ecf5282f98cc62836905ecdd
SHA1 hash:
3e954e4030869d99ecbaf6503acafd1ef4a81dbf
Link:
https://www.unpac.me/results/70053b61-65b8-4f32-b46e-fb837bb7c3d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f57536badf28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381759/

Comments