MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325
SHA3-384 hash: 548d4e2761dc93dab6de3fc7039e2643e3d7a22c92c915fa29520c294c4e9590da86baf558d177fbc352eb839cf50ea3
SHA1 hash: 0854d68bf709c0a423e47c63eb0b6e9726c9c08f
MD5 hash: c2d98ce6d441b79d1ec3d50376b46b9a
humanhash: uniform-sad-hot-white
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'876'480 bytes
First seen:2023-01-19 16:48:29 UTC
Last seen:2023-01-20 18:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 49152:wkQTAUs8KECSOKf6n3C1s13gvSorrzsAf9yWU5:waCBOfICQvDrEAfwWU5
TLSH T1E695232070E0C177E477817414A2CE2A7B356233877A8AE3B79D1ABE9F612D192753CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_654609786?hash=hVE2rEABvE6A6LDs1XzEqoaCTU9U0ETEZcxLljO8J30&dl=GEZTSMBXGQ3DQNI:1674144167:pP54NKZF4fUyi9YfFICQUQPdPi5WUZam7s3UZylNPow&api=1&no_preview=1#kyp214

Intelligence

File Origin
# of uploads :
31
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-19 16:49:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/388bc9e7-e888-455b-b584-76a4040a1df5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/354656/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61543/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EnumerateProcesses
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63c9747fdeddc48f89f8270f/reports/6819dec0-f304-4242-9d33-0c5acfcef1b8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b3063c-3085-4d20-8439-9c3abdac9fb0
Result
Threat name:
DCRat, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154900
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DCRat
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787632 Sample: file.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 7 other signatures 2->44 9 file.exe 4 2->9         started        process3 file4 28 C:\Windows\Temp\1.exe, PE32 9->28 dropped 30 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->30 dropped 12 1.exe 3 11 9->12         started        16 conhost.exe 9->16         started        process5 file6 32 C:\Users\user\AppData\...\agentServer.exe, PE32 12->32 dropped 34 C:\Users\user\...\x1j7cF9kcN8pqeKG.vbe, data 12->34 dropped 54 Antivirus detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 18 wscript.exe 1 12->18         started        signatures7 process8 process9 20 cmd.exe 1 18->20         started        process10 22 agentServer.exe 14 3 20->22         started        26 conhost.exe 20->26         started        dnsIp11 36 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 22->36 46 Antivirus detection for dropped file 22->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->48 50 May check the online IP address of the machine 22->50 52 Machine Learning detection for dropped file 22->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 16:49:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=adc3hrluau5b7ku5e32eu45z3nzbpdpbj2k6i2etvb4sffmxwmsq._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230119-vbnjhsde6y/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
DCRat payload
DcRat
Unpacked files
SH256 hash:
c09d7b1ecf9dd4917c8f081132ac5c533bc326959505d7364aa546d4822e5c9c
MD5 hash:
60b6a611559a27f113b51c76733f26d0
SHA1 hash:
6dc70a539f0d1c8b9a84edef26c2bdf82bbfa098
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
af554fb39daa6ce8d535472e7fabba6beff228960323d387ec3f24dff7528e31
MD5 hash:
f40f8638fc497fa3243fe49b9cad822d
SHA1 hash:
fe0b80e73d67d3115347b142cd97193a477a4348
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
b71e5dda8712a7cfc7a042e460b63ee9268d6b316902a79923128af77c266200
MD5 hash:
75e34141cdf93ffbba8909c89596d546
SHA1 hash:
dfe0e6908f0ffd1e6baaa42bd8ad5fd2075da5bc
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
4a5d12b5bd7e11ad2e64cd2967d7578bdfa5166b6d3a2519643d4a2427040e5a
MD5 hash:
a94f08ef7e6a3c39c0f11a2ee50c5c6c
SHA1 hash:
b5457f0ae7765179517b72eaf3a85afa4c198c49
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
adf552c2baff08a671d9ec4d05e09e58334656a4a0772bba773d6c2bd63a54b0
MD5 hash:
f8b5f3f65ef6c9e0eaf8df283994ad7c
SHA1 hash:
896cff2de3dfdf89cf0ae811986d38791a60590e
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
33938cf6f967d5d533e38630592b06e8a8c6d331e320c0b461d26d885577d8b5
MD5 hash:
9deeeaed70757d832c9a000ae908a9c6
SHA1 hash:
743e18553a9492dca72d3d8f933f5c3f9fc53cbb
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
SH256 hash:
00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325
MD5 hash:
c2d98ce6d441b79d1ec3d50376b46b9a
SHA1 hash:
0854d68bf709c0a423e47c63eb0b6e9726c9c08f
Link:
https://www.unpac.me/results/51c6bf90-c216-412e-8a6f-f8838eb8cbd2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00c5b3c57405/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/354656/

Comments