MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
SHA3-384 hash: f2814949260a5669db0551993937a7186a3e24c5d45556b4b680ad233064d401f33e0a7fb168c7dcfc16fe6450167afb
SHA1 hash: 0902d497ecaa7cba28eefa55a7102e9672c0c4ef
MD5 hash: f5e0f414b41f4c8119ff2275527c8b14
humanhash: speaker-leopard-nevada-salami
File name:f5e0f414b41f4c8119ff2275527c8b14.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:428'032 bytes
First seen:2023-05-19 18:40:54 UTC
Last seen:2023-05-20 14:58:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8e0cca9c8daf9ab8d5b3be250b7f319 (5 x Stop, 2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:aQy7prSNxo2M3ZJhu9P6En8FsqJBbp9+n7ORAGcJG9s0xJJjyO1mqT+8F:orSNxzMJJk3n8SqJBbrCSRcstBU6+s
TLSH T133948D0392A1BC65E72146719E1EDAE8765EF9508F097BDB2218AFEF14701F2C273316
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 90a8c850d0c0c000 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.81.68.115:2920

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f5e0f414b41f4c8119ff2275527c8b14.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 18:42:45 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/7df867e0-94f3-4aca-a9e7-ff73f53d3798

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29322.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6467c2c38206acd6d0f924ba/reports/853edcfd-9b6c-45ed-8856-b58c43568d7d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c931fe68-bac0-4e3e-b8e5-0f2ebaea44d2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237529
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 18:41:06 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65grua4pbwlgn5bl3wmq2legirxnhzi3eegdttjnoapoktjclexq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230519-xbrmaaaa7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
6d387b94e0120a94ab745ddd68cc5531b1137ec954afdf23bd3d4f571e36aa13
MD5 hash:
b976665d8b48fafb6a7d6dc535afd519
SHA1 hash:
59bcf224a78259bfe4cadb1c31407c574f2c22b5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0f2fda23-427b-4e38-9684-1744f24c5f1a/
Parent samples :
0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53
1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223
d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
2f745b7e0fd4a560ae3519285a02388f8264fc2b68e3dbe217683515b65a754f
3101f6b59315da1a8b0024755a66e13319634e51bc695ea60361c1be51cddfe3
SH256 hash:
abc681771581e32e28a2873bc6c5fac1f22793524300c207e77d3320df8ff4ec
MD5 hash:
f16c9d9a049a0b987a725ef0ae618927
SHA1 hash:
5745600576f586b53b57d6fc668e7be0a4d0b119
Link:
https://www.unpac.me/results/0f2fda23-427b-4e38-9684-1744f24c5f1a/
SH256 hash:
a785a5e1f0472823df00c77373037df82aa490ddc3b52b5bb1bc42629dcbf03e
MD5 hash:
1df5f40f2337d55b5c31203e3ba87efe
SHA1 hash:
5171dea6a222b51109d9f926629ae6cb785ec7a8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0f2fda23-427b-4e38-9684-1744f24c5f1a/
Parent samples :
0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53
1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223
d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
2f745b7e0fd4a560ae3519285a02388f8264fc2b68e3dbe217683515b65a754f
3101f6b59315da1a8b0024755a66e13319634e51bc695ea60361c1be51cddfe3
SH256 hash:
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
MD5 hash:
f5e0f414b41f4c8119ff2275527c8b14
SHA1 hash:
0902d497ecaa7cba28eefa55a7102e9672c0c4ef
Link:
https://www.unpac.me/results/0f2fda23-427b-4e38-9684-1744f24c5f1a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f74d1a038f0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2604056/
  
Delivery method
Distributed via web download

Comments