MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 1 File information Comments

SHA256 hash:	fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8
SHA3-384 hash:	d327cdf3f73de95e37132715011aa067427d5e98df5137c589260a636ddf054893e0d06865722b16728df48fe159080d
SHA1 hash:	d3ab0550078d323a974fda5f51aa618fb85ea931
MD5 hash:	e40967df051e81b88b363d22a7d8a3bb
humanhash:	december-berlin-five-october
File name:	fbeb61dffc09d8b3cea9da82530a91e34b33e41773ced.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	382'464 bytes
First seen:	2022-05-07 16:57:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a14107a392764307cdf95bf281e41cf8 (4 x RedLineStealer, 1 x Stop)
ssdeep	6144:7jZXhnVfW5GBzCSqrw0hEdCIbhA9JVUz8FwigCHWjsEpkXgsP+29QdmolD:7FxVfQqzCSqr08wO/F1gC2jshdP+29s1
Threatray	11'231 similar samples on MalwareBazaar
TLSH	T12384CF04FB90C034F0B716F4897593A8B92EBEA1AF2450CB62D52BEE56356E4EC30757
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
89.22.234.87:42519

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
89.22.234.87:42519	https://threatfox.abuse.ch/ioc/548779/

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

fbeb61dffc09d8b3cea9da82530a91e34b33e41773ced.exe

Verdict:

Malicious activity

Analysis date:

2022-05-07 17:00:06 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/8c00e769-885d-47fb-9d6c-07be253d922a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/269263/

Detection(s):

Win.Packed.Pwsx-9949493-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16633/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6276a4f7982f586844ece94b/reports/8f3aa187-fed4-47fa-b2fd-01b3d252e5a7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8cf9c025-c4a1-4294-9697-4f7b5b2f06db

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/989531

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8/

Threat name:

Win32.Trojan.GenSHCode

Status:

Malicious

First seen:

2022-05-07 16:58:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pvwdx74bhmlhtvj3kbfgcur4nfthzaxophnzlkiry7yhjgljt4a._file

Verdict:

malicious

RedLineStealer

40ba87394996c8595a31da998cc0b88033ea8f7f988f769bc55a354a13fcd6f0

RedLineStealer

4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b

RedLineStealer

6db5590e19d5b589c985d532e5c4930351efb94a14b6be015c568de453e858d4

RedLineStealer

9e37960d51917b063826f9728d85c6bb18ea1b850058f0b72d4e863afdbe609e

RedLineStealer

c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679

RedLineStealer

e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061

RedLineStealer

ee1d6f27421d1d7d0b2dd8f00c8df9b5b8e36b4f9f2303a027265bd11e6aad4b

RedLineStealer

+ 11'221 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:07.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220507-vgtbysfeem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

89.22.234.87:42519

Unpacked files

SH256 hash:

3a66c7abe34a357bf1391fe86874dbd0e37fafcf8f5a8fda620560c1fe96e741

MD5 hash:

52563a12d56727fc77199af8aa8b7e1e

SHA1 hash:

c3a35a2c8d7f0826c8f5e38c1fbd09622eb258ab

Link:

https://www.unpac.me/results/86cc6ce2-851a-4a18-82d4-0ff800c8c801/

SH256 hash:

c32cab81bae799bb2776b24483d22a7dacf4ac09a454e83a6fb60538d79311b2

MD5 hash:

13e55bc3c98f35f6457629c85c70b30f

SHA1 hash:

9e6cd21b90cd7a5fda6682af1f9b2fdfc5aaf0ef

Link:

https://www.unpac.me/results/86cc6ce2-851a-4a18-82d4-0ff800c8c801/

SH256 hash:

65d34142a1aff72c398e7ec206ded53a45a6a249892c46fd0079517d14b2f42f

MD5 hash:

47721c189837b28154f8c3c782bc2729

SHA1 hash:

69196615817e0a6acd52c699c34cc9684dfdd2d5

Link:

https://www.unpac.me/results/86cc6ce2-851a-4a18-82d4-0ff800c8c801/

SH256 hash:

fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8

MD5 hash:

e40967df051e81b88b363d22a7d8a3bb

SHA1 hash:

d3ab0550078d323a974fda5f51aa618fb85ea931

Link:

https://www.unpac.me/results/86cc6ce2-851a-4a18-82d4-0ff800c8c801/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fbeb61dffc09/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.