MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments 1

SHA256 hash:	fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb
SHA3-384 hash:	84928585888ff817bf6c6311736cd0654d8d21012b8f43dfa8f978e02b8d8c34ac1dc9f539c9df10a2596f99563eef49
SHA1 hash:	df03f872c1ba7b05f9549e161ff13001e402e918
MD5 hash:	b0e5839f9ef5c172ac7dbb029d12e0c0
humanhash:	victor-beer-shade-fillet
File name:	b0e5839f9ef5c172ac7dbb029d12e0c0
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	329'728 bytes
First seen:	2022-06-07 08:33:46 UTC
Last seen:	2022-06-07 09:54:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f96053cd203622d03998ec2978919d10 (2 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:+la2lBfabRu9+RjzOVzd+bzmLSGPeBZKbu/TxszBfz:+sbYWzOVzM/mLSXBUQTxOfz
Threatray	6'804 similar samples on MalwareBazaar
TLSH	T13564F12073F5C873D6F3553014709A206BBBB8027578858F37A812796FA07D19EBA76B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d8f8e4e284e8f071 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

434

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://193.106.191.222/SetupMEXX.exe

Verdict:

Malicious activity

Analysis date:

2022-06-07 07:42:38 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/4471320e-d98e-46a8-bae1-5d08056af5e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277264/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.13298.20585.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/629f0dc04c4e28fcf3b94b6d/reports/c6aa101c-5275-423f-a063-2c8e00a6b307/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3706ee7a-5ea4-4e80-a938-109a25679c79

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1007966

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-06-07 08:34:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7yebz7mqxx6sv7bfmtgjirrrqflhtablh2nerlhyrc2qrush27fq._file

Verdict:

malicious

RedLineStealer

41a55e0a590832cb83b3c211282d9292743a197867d483db9a240a300aa96502

RedLineStealer

5d6bf47e5512cbad6edef0cdac28b005431fdf0538835fb21e5af9871b637a46

RedLineStealer

837ffb4801d47f374913ffd47e6ed9830a4bc2377d7a33b5b14007075d04ac0d

RedLineStealer

a875098c938f157b3c493ed89049a2d24bb9052b4f493fada7e4ce693b34770e

RedLineStealer

b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6

RedLineStealer

becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f

RedLineStealer

eb630c0e1afc2b423b0b70023546a85839bc97661ebd71ce3a73f1cae910420a

RedLineStealer

f589b734e8e446c4c4972061c3b25480d7326831aac6a6cb466f5afd76a6f00e

RedLineStealer

+ 6'794 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220607-kgfezscfc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/d12bfe27-fd36-4b55-93de-7623efe44cc4/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/d12bfe27-fd36-4b55-93de-7623efe44cc4/

SH256 hash:

8938f212bedfaf8b11511975865a15ba06a9b3b53d2c9aa5c295b70ad79dd6f2

MD5 hash:

041ea344f71a48cd5201fc24ce740a61

SHA1 hash:

0008a3f30efa3d96c6a444f4b8f7e395fc2ea237

Link:

https://www.unpac.me/results/d12bfe27-fd36-4b55-93de-7623efe44cc4/

SH256 hash:

fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb

MD5 hash:

b0e5839f9ef5c172ac7dbb029d12e0c0

SHA1 hash:

df03f872c1ba7b05f9549e161ff13001e402e918

Link:

https://www.unpac.me/results/d12bfe27-fd36-4b55-93de-7623efe44cc4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fe081cfd90bd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe081cfd90bdfd2afc2564cc944631815679802b3e9a48acf888b508d247d7cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.