MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e9a89b2c81e978ff0a06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e9a89b2c81e978ff0a06
SHA3-384 hash:	8ef34a161ba319d95c54467cb3b6fb31e5e93b5ae045fcb52f01240237b8a68f9779b90dc88fb8057f8ca36b918dd95d
SHA1 hash:	6a86c23b5aab14ab057af0888dfd8943eeea3b7b
MD5 hash:	a6f3ea01902e6522073f27d41806a153
humanhash:	edward-failed-one-glucose
File name:	f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'365'376 bytes
First seen:	2022-03-04 22:30:50 UTC
Last seen:	2022-03-05 01:03:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9fb84f5d437fb5a264a91f93da1ad740 (1 x RedLineStealer)
ssdeep	24576:4tMawnkxMl6kwQu9e4fKXA6X1hbBQdzlg8ghqmuHTYMS1KvuP:lnkjkwQ+fKXzXb1MSlCTY+vuP
Threatray	4'987 similar samples on MalwareBazaar
TLSH	T1B85533C4B42846E5EFAED5B743F5C41E026CA9F28A1AD836A7374B5DF0D014F44AA3B4
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.115:22844

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.115:22844	https://threatfox.abuse.ch/ioc/392547/

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/247474/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.12514.7833.21487.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15faa656-1522-4937-841d-f25c1986372e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/951072

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e9a89b2c81e978ff0a06/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2022-03-04 20:25:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6xaod3vbkuiojx62yffwsnjew2daxhvrezq6tke3fsa6s6h7bida._file

Verdict:

malicious

RedLineStealer

2fec7b4ea47561285e6f6136a1df0d4c60342567be0ab0d3fba37f4bf9f3049e

RedLineStealer

3eb8443ed0a6200a3e8af4ea1b0367a999ff30e38b54ddaf14ee47d7a243efb7

RedLineStealer

4f83d00a482375e2fc4321fd82e0172b85013eac3a41cf1eec700d8e365bf9ce

RedLineStealer

6e1ddf76e705dc1bc2652abac925a2a097341a3de1193a86854046cd92009953

RedLineStealer

76b0e21eb14f634c137bd2e38462e55c70cdb71cd681463f0c24eb9208aab4df

RedLineStealer

aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969

RedLineStealer

+ 4'977 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:777 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220304-2fc2xahehn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.106.191.115:22844

Unpacked files

SH256 hash:

77187c9be6f4cf1f11b7b0b7ce0dc34d0f4d319cf01c577e21d9f669724bde71

MD5 hash:

b4c0c9cd0810a1da303531e6d1e228cb

SHA1 hash:

85387a16bff9a3cd903d3837fc823807ec7b3c84

Link:

https://www.unpac.me/results/fc97cd91-5558-4077-b996-1b54e26aeec6/

SH256 hash:

f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e9a89b2c81e978ff0a06

MD5 hash:

a6f3ea01902e6522073f27d41806a153

SHA1 hash:

6a86c23b5aab14ab057af0888dfd8943eeea3b7b

Link:

https://www.unpac.me/results/fc97cd91-5558-4077-b996-1b54e26aeec6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f5c0e1eea155/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5c0e1eea15510e4dfdac14b693524b6860b9eb12661e9a89b2c81e978ff0a06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	SUSP_Reversed_Base64_Encoded_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research

Rule name:	SUSP_Reversed_Base64_Encoded_EXE_RID3291 Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/247474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample