MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e
SHA3-384 hash: fdf42a06af0f817aee5a1db9d2925701c4d4d381961c0bce005ebb76c25e2934a1c0729789ed992ce10d2d2b4840a645
SHA1 hash: 8ebc558fa29c7ca284d33e5b80eef69c5efcbc86
MD5 hash: 4151601d4bc05e30e3ab229d714292c5
humanhash: kilo-quiet-rugby-nuts
File name:4151601d4bc05e30e3ab229d714292c5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:374'272 bytes
First seen:2022-06-06 17:25:47 UTC
Last seen:2022-06-06 17:38:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1dd05aad8ce2a14fd9b3b972a5a8dca9 (2 x RedLineStealer, 1 x CoinMiner, 1 x ArkeiStealer)
ssdeep 6144:ocfYkJ+u0mXgP4T+5iYhH4W5kp384dOAl3fkv32EoLogXXbjn6RrE28fb4:ocfRH09PEqiYhYW03xdB3fkP2EaZXXnI
Threatray 3'520 similar samples on MalwareBazaar
TLSH T1A784CF10BB90C035F5F756F44ABA8378792EBAA19B3494CB62D41BEE46346E5EC30317
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0f0cccc98f0e0c0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.245:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.245:23196 https://threatfox.abuse.ch/ioc/657214/

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4151601d4bc05e30e3ab229d714292c5.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 17:28:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/88e75539-7c83-4dba-8c7c-6474540be78f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277105/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.1597.30178.9608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/629e38f08e867832d9df2306/reports/6cc3dff5-3a24-42c8-8275-fe282725d790/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/684d54cb-1aa9-4043-bd37-bd7f7eff74c1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007553
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-06-06 14:07:43 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
30 of 41 (73.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6we3onhi4rdmjrexebq4hmsuqdlte2brvldkns2gn5np25vg6aha._file
Verdict:
malicious
Similar samples:
34dde3522a2d74882bf241a97498394af7a1f9a19619e4551f426c14f62e4484
RedLineStealer
41a55e0a590832cb83b3c211282d9292743a197867d483db9a240a300aa96502
RedLineStealer
6053a38f2f9b911cb682ae3085cb8d3abd77c4a886a3790f0e66020d16386c30
RedLineStealer
837ffb4801d47f374913ffd47e6ed9830a4bc2377d7a33b5b14007075d04ac0d
RedLineStealer
93ac1dfcdeb6aca6957632ec2478a2baf8f9b71e936102922098a2bc5233a9d0
RedLineStealer
9990d582538b8d58127bc56b08c69d315ed3951c6f9cf44152643188d9cd76a8
RedLineStealer
a59f0c18c73ee15e06c5bf447e6efd4daaa5dba84caf09b531088d1e8bc7cb8a
RedLineStealer
e1940d5d2ccc9a7db9bc4605837262efe7a223942a7cbd9b59506070a04404be
RedLineStealer
eb630c0e1afc2b423b0b70023546a85839bc97661ebd71ce3a73f1cae910420a
RedLineStealer
fb1b2d99803d89ecbbc788e37a4759fb57e67a98773c349a22f36cb7972f3c63
RedLineStealer
+ 3'510 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:meta discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220606-vzt17sedcr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.245:23196
Unpacked files
SH256 hash:
08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3
MD5 hash:
e8c9e9cc0036bc649232bc0e9634e6f7
SHA1 hash:
88f6b3d385ecdd2419367ab6511cfd612eb179ad
Link:
https://www.unpac.me/results/711244f9-ceaf-451d-a261-c47f897d0d9e/
SH256 hash:
64d4ce7906e0dda1d41a4f99101760482e1e16786e03b115fb25fd68201ac05c
MD5 hash:
c257e89b0515047d7088f8e5f5db4d92
SHA1 hash:
12f42292ed672c89a8f71cd6b41a7c80c4e3ba25
Link:
https://www.unpac.me/results/711244f9-ceaf-451d-a261-c47f897d0d9e/
SH256 hash:
04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57
MD5 hash:
89ce9c691eaf75639edd700b087dca8f
SHA1 hash:
0610f8d2761ad67f9b64ebd3be202be32ced7116
Link:
https://www.unpac.me/results/711244f9-ceaf-451d-a261-c47f897d0d9e/
SH256 hash:
f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e
MD5 hash:
4151601d4bc05e30e3ab229d714292c5
SHA1 hash:
8ebc558fa29c7ca284d33e5b80eef69c5efcbc86
Link:
https://www.unpac.me/results/711244f9-ceaf-451d-a261-c47f897d0d9e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f589b734e8e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212249/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2164186/
  
URLhaus
https://urlhaus.abuse.ch/url/2212752/
Cape
Cape
https://www.capesandbox.com/analysis/277105/

Comments