MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792
SHA3-384 hash: 8e43dcc509860773e4e52747d8a84d29e2f4d56127ea31b063174b18932be73ba49833e102e33a747dec0f01f03c0761
SHA1 hash: 7cf487b2e53082db71d2925e639a8a1f1364e8c8
MD5 hash: a8d5099c843e6294a49673286a719b6f
humanhash: orange-high-william-thirteen
File name:a8d5099c843e6294a49673286a719b6f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'065'468 bytes
First seen:2023-05-28 22:15:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep 98304:Rc+3jotiAEnqkTDeYTCBhllPTBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA64T9:rjOpnkTD2ZZTVHJack+YlGlSRRV
TLSH T19F66F163B0DA2471F8732A3678929432393E1C9CE0462DA929F4AED7F572D0C5F4B791
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.201.253.174:40309

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8d5099c843e6294a49673286a719b6f.exe
Verdict:
Malicious activity
Analysis date:
2023-05-28 22:18:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28729761-f279-43f2-90f5-f66e91c65588

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392874/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Win32.Stealer.dxrg.11130.9083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88387/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6473d2a3c49c8073bd0b1224/reports/4aaf00c7-369c-4b76-add4-787331954bef/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OWASP
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9cb047f5-fe86-422f-8f0d-f13294d85218
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1244148
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877154 Sample: nl1qwoop4Z.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 64 21 Snort IDS alert for network traffic 2->21 23 Multi AV Scanner detection for domain / URL 2->23 25 Multi AV Scanner detection for submitted file 2->25 8 nl1qwoop4Z.exe 2->8         started        process3 process4 10 javaw.exe 23 8->10         started        dnsIp5 17 theloder.top 194.87.82.254, 443, 49699 NFA-ASRU Russian Federation 10->17 19 192.168.2.1 unknown unknown 10->19 13 icacls.exe 1 10->13         started        process6 process7 15 conhost.exe 13->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=afhfothcivbbjr5kmhmu5o434zu6vvit2k5wbop56utza7aiq6ja._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230528-16r33sgf49/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792
MD5 hash:
a8d5099c843e6294a49673286a719b6f
SHA1 hash:
7cf487b2e53082db71d2925e639a8a1f1364e8c8
Link:
https://www.unpac.me/results/e47372f6-7002-4c9c-92ee-2583d9e6abad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/392874/

Comments