MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
SHA3-384 hash:	fa2e6f6cbbf7b12cd992f2e510112155412055f3011523be69ed9a9b949b7d3c191dd7b7e3d4bb3f24cc0bade2732b69
SHA1 hash:	90c5a90b22ae659dd03f472c17e105a08b4c5fd8
MD5 hash:	816df416e1ec1fe1650e161403ac4069
humanhash:	south-kentucky-alpha-network
File name:	816df416e1ec1fe1650e161403ac4069.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	429'056 bytes
First seen:	2023-05-20 09:45:10 UTC
Last seen:	2023-05-20 14:55:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	885df6b18e739ee3563619e20c0ba91a (3 x Stop, 2 x RedLineStealer, 1 x TeamBot)
ssdeep	6144:mVNf7kLUIE2vA+/Rvj7yie7LL8N1RKXg3TXkKB+K60JCTK:Mf7kLU/2vFtnd6/OLr3b5q
Threatray	47 similar samples on MalwareBazaar
TLSH	T1B4948E4392A3BC69E9194A728E3EC2F87A1EF5504F4937D72224AE3B14711F2D6B7701
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0143424602020a10 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.81.68.115:2920

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

816df416e1ec1fe1650e161403ac4069.exe

Verdict:

Malicious activity

Analysis date:

2023-05-20 09:47:09 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/3a50efe4-acf0-49bd-a08c-50bb52bb06c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29322.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/85942/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/646896da2e4c86cb88c40664/reports/bc84cd1d-a365-4cc6-8511-b1fdf6210f24/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a66a5da-d4bd-4891-b90b-1252cd2caf05

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237917

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-05-20 09:46:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7xnffl62ij4pkvhcnu3w2t2w5ca4spmhu2ybb4bchnh5apeygcfq._file

Verdict:

malicious

RedLineStealer

1e6feb0749b0cfffd2e085d364667c6040cf008a59b0831a74c82db2256055b6

RedLineStealer

1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223

RedLineStealer

28da267cd03efdfd51d9580f406b4e79549b535747817b1d285a549a247258b2

RedLineStealer

9893ec0e2902925018922ca40cc3495001dec4ccd32137cc13566c74bd1438e1

RedLineStealer

bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53

RedLineStealer

c45d9ba24cf0bfa06a2d725ab02811c96025418d7dab9e7644310e512f98ee2c

RedLineStealer

d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3

RedLineStealer

e28be3362db83dfc814f8528a74d5b3d39e9b649c44fec64c5f5f57f8d59cb2a

RedLineStealer

f84bbac5444f77d81d4d3739f949d630b806957183aa1b797445ea35e9b0db11

RedLineStealer

+ 37 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230520-lrlv7aec81/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

6d387b94e0120a94ab745ddd68cc5531b1137ec954afdf23bd3d4f571e36aa13

MD5 hash:

b976665d8b48fafb6a7d6dc535afd519

SHA1 hash:

59bcf224a78259bfe4cadb1c31407c574f2c22b5

Detections:

redline

Link:

https://www.unpac.me/results/53f38af8-ec0e-4c09-baae-5ad8364f3a05/

Parent samples :

0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
f74d1a038f0d9666f42bdd990d2c86446ed3e51b210c39cd2d701ee54d22592f
bbd8aa9922966e25df27643b728d5d7a0416f4b08318990edeabd73b2a4ede53
1fd69f09311ce43388620c19162acd54b86701eea3112da066e3d905205ab223
d1168d11c6f0c4689aee92bfc5190032346925d78f57f5a502b5e11309e9f3b3
fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b
2f745b7e0fd4a560ae3519285a02388f8264fc2b68e3dbe217683515b65a754f
3101f6b59315da1a8b0024755a66e13319634e51bc695ea60361c1be51cddfe3

SH256 hash:

abc681771581e32e28a2873bc6c5fac1f22793524300c207e77d3320df8ff4ec

MD5 hash:

f16c9d9a049a0b987a725ef0ae618927

SHA1 hash:

5745600576f586b53b57d6fc668e7be0a4d0b119

Link:

https://www.unpac.me/results/53f38af8-ec0e-4c09-baae-5ad8364f3a05/

SH256 hash:

a785a5e1f0472823df00c77373037df82aa490ddc3b52b5bb1bc42629dcbf03e

MD5 hash:

1df5f40f2337d55b5c31203e3ba87efe

SHA1 hash:

5171dea6a222b51109d9f926629ae6cb785ec7a8

Detections:

redline

Link:

https://www.unpac.me/results/53f38af8-ec0e-4c09-baae-5ad8364f3a05/

Parent samples :

SH256 hash:

fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b

MD5 hash:

816df416e1ec1fe1650e161403ac4069

SHA1 hash:

90c5a90b22ae659dd03f472c17e105a08b4c5fd8

Link:

https://www.unpac.me/results/53f38af8-ec0e-4c09-baae-5ad8364f3a05/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fdda52afda42/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe fdda52afda4278f554e26d376d4f56e881c93d87a6b010f0223b4fd03c98308b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2604056/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample