MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62
SHA3-384 hash:	b369b8d25a401bf131d666dcde66925ec29c2dee1a70b99f2f1fb95f21fb9fa0da4b3333e213fa56db4e7e37a609a1af
SHA1 hash:	02e71661f63eb831f5f0dfae0d045ee6c1f93042
MD5 hash:	c5adddfbbb663e6f133ad58542966a5c
humanhash:	robert-hot-utah-xray
File name:	jvgwa.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	964'608 bytes
First seen:	2023-07-07 16:12:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:ilvF1lALkkkkkkkkkkkkkkkkVlLfh/pUjY3xqrx49UcCkzA5YYz1kkkkkkkkkkkE:WTEl0Y3xq10UBpt/l0Y3xq10UBC
Threatray	548 similar samples on MalwareBazaar
TLSH	T11225AE253286CE11D5980A75C0E380F507F2AE87F172D74B7E84BEDA3D323998E56789
TrID	59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.6% (.SCR) Windows screen saver (13097/50/3) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SquiblydooBlog
Tags:	exe Redline RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

jvgwa.exe

Verdict:

Malicious activity

Analysis date:

2023-07-07 16:15:25 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/f706e9f8-e58f-4698-a084-c14172261ce2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/410917/

Detection(s):

Sanesecurity.Malware.28889.FZF.UNOFFICIAL

Win.Trojan.Redline-9938775-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Adding an access-denied ACE

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex control lolbin packed packed stealer

Link:

https://www.filescan.io/uploads/64a8398f2333b198b2392493/reports/d263d596-a916-4b8c-9516-df850b356e55/overview

Verdict:

Malicious

Labled as:

Ser.Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/215732c4-03ed-47f6-8be3-e978a542a188

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-06 17:24:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ahz2dzf422q4memno24ukdbsozv2g6yfw4qd754h6chrz6q4tnra._file

Verdict:

malicious

RedLineStealer

1f91aac4ba607d0a8336c397e5a79bb34563a1f01df927f837b66b3d2c532bfb

RedLineStealer

4bd74d156f2008ef46143cbf817d27712aaf17cafe34bb3dd664d9ef5ae32e64

RedLineStealer

94ae480fad3a5edf43781bb4a357f95147c67cfd8ac71fc3540f61d0931c5376

RedLineStealer

a72adbf4aefb73bde32b6e71408d1519dd0554612fcc7ea2a5b4c07dad645c60

RedLineStealer

b8254f6435b125aa27f14b554aa14404d3bb1a55a9e659acd4eb22fc6e8abb80

RedLineStealer

c7bb516ffce734e561f4b1a7ddc9174b8c5b44f41c01e2cdb226374e8ab489b5

RedLineStealer

c93de4b5c5e1c242456a82be1287bafe7d6b8463e7e36a06add1d9b79134c3b4

RedLineStealer

d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf

RedLineStealer

fbcba25bd85581fc264cc904e1e6cfccbe7dd66fb853b250f38ad0761d0ff1e5

RedLineStealer

+ 538 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@anatoshascam - 05 infostealer spyware

Link:

https://tria.ge/reports/230707-tn3njaab73/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

5.42.64.70:45663

Unpacked files

SH256 hash:

e0b457f6f6d6365cbe68167fe776cf57ee587ab792d68d96dd3b5fc7b4817e80

MD5 hash:

7a3ed67700f513b0dd7c6e1833675257

SHA1 hash:

a545058d8d997c65fcc52f367aa3dd72068eb034

Link:

https://www.unpac.me/results/06dfef2c-71d7-4d43-b383-3224c26c41d4/

SH256 hash:

d4b4515ac01ec85e070e884998aac0d7fd843a72c578c88de6a578ad4f60d4c2

MD5 hash:

f5541b6f9c1fa1845131f0a66e97c9b2

SHA1 hash:

73aeddd820e1c696c673e46c41ee319ae24bab33

Detections:

redline

Link:

https://www.unpac.me/results/06dfef2c-71d7-4d43-b383-3224c26c41d4/

SH256 hash:

e0b457f6f6d6365cbe68167fe776cf57ee587ab792d68d96dd3b5fc7b4817e80

MD5 hash:

7a3ed67700f513b0dd7c6e1833675257

SHA1 hash:

a545058d8d997c65fcc52f367aa3dd72068eb034

Link:

https://www.unpac.me/results/06dfef2c-71d7-4d43-b383-3224c26c41d4/

SH256 hash:

d4b4515ac01ec85e070e884998aac0d7fd843a72c578c88de6a578ad4f60d4c2

MD5 hash:

f5541b6f9c1fa1845131f0a66e97c9b2

SHA1 hash:

73aeddd820e1c696c673e46c41ee319ae24bab33

Detections:

redline

Link:

https://www.unpac.me/results/06dfef2c-71d7-4d43-b383-3224c26c41d4/

SH256 hash:

01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62

MD5 hash:

c5adddfbbb663e6f133ad58542966a5c

SHA1 hash:

02e71661f63eb831f5f0dfae0d045ee6c1f93042

Link:

https://www.unpac.me/results/06dfef2c-71d7-4d43-b383-3224c26c41d4/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/01f3a1e4bcd6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01f3a1e4bcd6a1c6118d76b9450c32766ba37b05b7203ff787f08f1cfa1c9b62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/410917/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample