MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a
SHA3-384 hash: 22e2653c4bc6e9525ddcae608a7cc72b10602af015acfaa456a7807b739ecceb9579efc875e3b546595ed26ecf30ba3f
SHA1 hash: 9bd7f9cd92c6d8f9bf5423fdd4d7a34ed76f6cc8
MD5 hash: 408524b3a07bacf0028a1667daddd04b
humanhash: bravo-double-august-november
File name:408524b3a07bacf0028a1667daddd04b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:390'144 bytes
First seen:2022-08-29 18:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4278c660d99d2ff9601b565d45bd967b (3 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:bNUMCxkJNMCh8nXu6aHawRLZWcddQYm/BlB1:b6hxkc+n6CawRLZWcdduV
TLSH T1AF84F122F583F071D29E1A3020B4E7553ABB6871563404FBAB68266E4FB07D05DB939F
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.234.34.113:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.234.34.113:80 https://threatfox.abuse.ch/ioc/846044/

Intelligence

File Origin
# of uploads :
1
# of downloads :
546
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
408524b3a07bacf0028a1667daddd04b.exe
Verdict:
Malicious activity
Analysis date:
2022-08-29 18:42:12 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/541d0252-1476-4b44-a92d-d722c036b961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302312/
Detection(s):
SecuriteInfo.com.Variant.Jaik.93483.18477.3179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30772/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit virus
Link:
https://www.filescan.io/uploads/630d0881116a699e028bd6d0/reports/048e113f-98df-4c18-ad7a-fd7a37a07cc7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be9320f6-7bfb-4f66-9a1a-ab6a9f93ffe6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1060068
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-08-29 18:41:07 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ac44hu4ws43yke642vfoela3wdn7qv2qqonptskh643ic5zovnva._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cspace infostealer
Link:
https://tria.ge/reports/220829-xbrbhsdddj/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
Malware Config
C2 Extraction:
clitspace.com:80
Unpacked files
SH256 hash:
b8daa51ee57c3a99637f9b5524fabe464bbadd843ed1ea73f7a315b487d6b222
MD5 hash:
e9eeef195e38cd7f98476347c307bb87
SHA1 hash:
e761eef606590c4454d840eafe07a74b6a980f2a
Link:
https://www.unpac.me/results/8a5a3fc1-4ecb-407f-b104-e350aceb782a/
SH256 hash:
cfe75cc1aa3d99703241817f505001852e69f0ed4f4c378d1e7a8dbfd7387727
MD5 hash:
af8a11ddd690bcba9ab5b4854024f4fc
SHA1 hash:
dc33ca95708e779be8ea7d68ae48edada76d68c1
Link:
https://www.unpac.me/results/8a5a3fc1-4ecb-407f-b104-e350aceb782a/
Parent samples :
1f37241f90d9d5b92f91fbfcad22e1ff2d9224cd4bb612721beaff1d254a202b
1ac9eab9df29b34978762eebf6c5f3bf71c9c9d77d0d91fbd1bbd1527188a941
02089a90f4006d1246425611d6a5665a8f80a4db8bde7c3ea293a33135c49846
57a8047c615d3ddad860225a0cca72f9b0a246fb2a3cd686f2f5fe05dea978e0
bb201f7479adb948e2242ee6a4a318c6563248a589a7ff51aa60afe214b14a7a
66aa5ecc4f0dae281ac5e8511b6da7f72787530b8790c67d4b157418384803ee
3f7993189706b5c666263d2fb4a5c46539769ebc5d1d6c5c0f9ac40f844d9e5c
7332d55834b0a0c86e5e8ca67cd6be25b7a66addaa6dedf47cd8b2f4e1887165
8e9baf00a4e461527ef940cfc19cd8ca1147822fac01ee5e6fa1dffcd094381b
82142e17df191dd5f20c058a3277dfe1ec6da22efd47bb2ef77a0efab0065998
00aec1785f449452e34390b020baa86675492950afc9c6a5f7a173771099c5b2
1308aceedd80ece43e5dc9a62626500689665d3723daa9322030fa3eaae56512
fef5709bb12beac0aea8a1674d4f51d8928739ac3cc9e578d529fdd782288d13
5519a24565aba4928bc5412f6f1d1bbc785f546843389cd7e82df075e5ae259e
9ecea941a914b3cace8532eb189f2f124e006540b9989fd6e68e034ca22ba33d
b604aa9c97cdcb9693637b0c115cebbf5813ec87fcfe03c1f2c33e70a919004a
cdf69eed3c07279712ba05935d348d2e7267c6d71cef734c9c5ab2cc3f704b5e
fb890bf3fa4378aba9257ca7b3b841843a08785752f19c0e88eea9112f021474
009b865e28043f1cae1888ffeee6353017ca772a3d6d05789719f9e5aa7d5947
2c3492537c7a5422e1ec2a4630aefddee04b13c513055df987deab7257d85688
1b80d5790a666a04487b4c4a87df20380c680416f8dbcce2ea7f58dd00faf27a
8fcf89fd8022b7efd6631f1a2a2f8ac7947dbe662b496852dd8349fd0aab4471
89740ab0e12213d31e0e2961a88460abfe9827c0dcbfb6d4369ad7e889eef390
86aa8f8a4a239d33e06778565a603180ee027494bd4102f8def629dd85e19a1f
50e2641b5277bc941243dd22acdb977fa774bdaa6c7eb6c9773e2957a83fa7a2
9bb9418db768535b14b746eae2eb691a6f0e36ccf0de33a18c4d9842cd94f692
9df9fedac09a927e5cb60bcdca9495e6402b8c0328ad0037b7e3c3c63150dfdd
3d640cbedb54ef4da75f9bd58c0767a25c27af5b22239f138078be090caa2f88
e1384145bb48dce3e44a1888ae8ae919cc5c783f5b63cf2bc22098a5a2aab0b6
71fa97186baedff5fd6ec8a79d4c69d23971d32bd8f3daeaa3024fc0114fd837
ce54ef80e1fae6878e8a78d8ffbbc9bf22b7d0c2a647ccfc55eecfe695019568
235667aad7d9f703f1042e857b70bfb7b9b0b2b5bcde1af6fe63663a02064a5b
SH256 hash:
358393910e657e4cf2103aa0aba963304dc51e74e11798959e7db75c0679bce4
MD5 hash:
1ce6c03eab5a4288b851113edd730ed9
SHA1 hash:
4c26a308d9e2b535c992d6c47d56529945283fde
Link:
https://www.unpac.me/results/8a5a3fc1-4ecb-407f-b104-e350aceb782a/
Parent samples :
1f37241f90d9d5b92f91fbfcad22e1ff2d9224cd4bb612721beaff1d254a202b
1ac9eab9df29b34978762eebf6c5f3bf71c9c9d77d0d91fbd1bbd1527188a941
3f7993189706b5c666263d2fb4a5c46539769ebc5d1d6c5c0f9ac40f844d9e5c
7332d55834b0a0c86e5e8ca67cd6be25b7a66addaa6dedf47cd8b2f4e1887165
8e9baf00a4e461527ef940cfc19cd8ca1147822fac01ee5e6fa1dffcd094381b
9ecea941a914b3cace8532eb189f2f124e006540b9989fd6e68e034ca22ba33d
b604aa9c97cdcb9693637b0c115cebbf5813ec87fcfe03c1f2c33e70a919004a
fb890bf3fa4378aba9257ca7b3b841843a08785752f19c0e88eea9112f021474
009b865e28043f1cae1888ffeee6353017ca772a3d6d05789719f9e5aa7d5947
2c3492537c7a5422e1ec2a4630aefddee04b13c513055df987deab7257d85688
8fcf89fd8022b7efd6631f1a2a2f8ac7947dbe662b496852dd8349fd0aab4471
86aa8f8a4a239d33e06778565a603180ee027494bd4102f8def629dd85e19a1f
9bb9418db768535b14b746eae2eb691a6f0e36ccf0de33a18c4d9842cd94f692
e1384145bb48dce3e44a1888ae8ae919cc5c783f5b63cf2bc22098a5a2aab0b6
71fa97186baedff5fd6ec8a79d4c69d23971d32bd8f3daeaa3024fc0114fd837
SH256 hash:
00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a
MD5 hash:
408524b3a07bacf0028a1667daddd04b
SHA1 hash:
9bd7f9cd92c6d8f9bf5423fdd4d7a34ed76f6cc8
Link:
https://www.unpac.me/results/8a5a3fc1-4ecb-407f-b104-e350aceb782a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 00b9c3d39697378513dcd54ae22c1bb0dbf85750839af9c947f73681772eab6a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2277404/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/302312/

Comments