MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c
SHA3-384 hash: 0ec1f7a1e8ed5523dbddfe9e317682179dc4459ab1e4d80e300c362ac3edef001903d4d304dbe3b51945cbaa8d712a5e
SHA1 hash: a1d1828c0791609dd761f895d6f644dae8f56a32
MD5 hash: 784a0dd84e1a911aa5a6b52a19acf069
humanhash: item-yellow-angel-dakota
File name:784a0dd84e1a911aa5a6b52a19acf069.bin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:279'040 bytes
First seen:2023-06-19 12:55:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d91fa928c738702455bfa66ac3685503 (23 x RedLineStealer, 7 x Amadey, 1 x Healer)
ssdeep 6144:0jbab2L7FAUjnFM9P3Z73jLxYKJk+JyvVLMl:ua43FOLxtRyvV
Threatray 1'683 similar samples on MalwareBazaar
TLSH T172544B0FB5C50336E471103D2BB02956EDEDBC910D34ADB73A6CD329116BBE2A9690DE
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.154.181.39:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
784a0dd84e1a911aa5a6b52a19acf069.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 12:57:37 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/0fa56b9f-a39d-46c8-b075-d146248f3551

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400486/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.25776.14843.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware masquerade
Link:
https://www.filescan.io/uploads/649050645f4ad0cf05685145/reports/db18919e-8a4c-43c6-8a17-bea22edf3382/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f79c20c2-92ab-4708-ad0d-e7e89c0d4ec1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257387
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 12:56:08 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xt5bnek2mlftbutxhgiur7zvet5q7ngoattqtxwogjxlkgmmzga._file
Verdict:
malicious
Similar samples:
173dab5f308f27a0e91706ba7cca550ad73d6d4806480099692f4f498a8b2b4d
RedLineStealer
1ca91eaf63056917103fcdaa2fe1051a7357247881a7fea5d918ca2e189cab8c
RedLineStealer
3023836b37a47b6599e276d2d7553299e07a1c372c40d47659d6c041595b1aa6
RedLineStealer
3b7e4f66c4398814f9c83b444dcc14b5ba2e407f00c411a9059247b40266d4d6
RedLineStealer
3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
RedLineStealer
4fc91338a68b0d910c0cda912862387fd02b96e96be18c58a895d078005a5207
RedLineStealer
521dcc37d3061837443e0e903d96433ce572e186e7a41a92a0b111f8d2fdddc7
RedLineStealer
9ab55d3242777bc911d575af8f1a91d891d4fce2f979eabfdcff158a8a78d6da
RedLineStealer
c2638a87bb13c43789a46338781509e9cc98aa23d98b7d3d446df2bd18ef954b
RedLineStealer
c89226168e9dd1d256d85a72bb252cda314b6c8c4aad45a5cf30c63ba899518e
RedLineStealer
+ 1'673 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@sogood1337 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230619-p6cgvaea27/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
vikaneleneer.shop:80
Unpacked files
SH256 hash:
9d7db71c1503a39c212ae19c34abcfa04e388869f0389504ff6b496ae697d56c
MD5 hash:
ac6e2bf4623442bebed60ce3c0e1b3b0
SHA1 hash:
c0f7dbc3295065e9ab91333e37c26ffdfc9c5c1c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ac0cf5a0-d672-43b9-9733-bd29c6596043/
Parent samples :
3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c
SH256 hash:
d80e375009f93d2b97a23e4bb6e7712ecc425fa827fb7b0c06ea67e80a6bcfd0
MD5 hash:
3f5c925f7873345fe3d762d35815aee5
SHA1 hash:
8ec87888d993bfd424ac920bc95dc54eca999dea
Link:
https://www.unpac.me/results/ac0cf5a0-d672-43b9-9733-bd29c6596043/
SH256 hash:
fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c
MD5 hash:
784a0dd84e1a911aa5a6b52a19acf069
SHA1 hash:
a1d1828c0791609dd761f895d6f644dae8f56a32
Link:
https://www.unpac.me/results/ac0cf5a0-d672-43b9-9733-bd29c6596043/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fde7d0b48ad3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/400486/
  
URLhaus
https://urlhaus.abuse.ch/url/2666300/
  
Delivery method
Distributed via web download

Comments