MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16
SHA3-384 hash: 1c1a9d5aeb358e9d592635b2279d08d6c053aedd01144810d56f949cff7f37e60d8b04ac127cc4f22a2f22ffd282f93b
SHA1 hash: 13ed8a485668a555853399071280d60ff264c913
MD5 hash: a438843b4cc003cb83af941ccb60fd61
humanhash: whiskey-pennsylvania-fourteen-blue
File name:44095424.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'992 bytes
First seen:2023-05-13 22:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ac5563f259b76cfa24f9c5fb695402f6 (2 x RedLineStealer, 1 x IcedID, 1 x Smoke Loader)
ssdeep 6144:doxwfScPvHgoXWbmrh1q9+EOFCLdNaD/1g:duwf1fgyWmgoDwLdNA
Threatray 42 similar samples on MalwareBazaar
TLSH T193741A1393E13D44EA6A8BBA8F1FC6E8771EF2508F49776D11299E1F08B11B2C263751
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0018b494c0e1c4c4 (1 x RedLineStealer)
Reporter JaffaCakes118
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44095424.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-13 23:00:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d21a0bdc-a980-431f-99fa-0caed2b0ce98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388961/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a file
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Disabling the operating system update service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey gandcrab greyware packed
Link:
https://www.filescan.io/uploads/64601279e68f9cbce80c3a7b/reports/cc480642-0fa7-4604-b83b-f90f69e49396/overview
Verdict:
Malicious
Labled as:
Exploit.Convagent
Link:
https://www.hybrid-analysis.com/sample/035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d77f59d8-3a8e-4d62-8227-25a32c4d9cc7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1232643
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 05:00:53 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anojxoabbaey6xwpqurabzlwbon4fr754ubyyreplkp664cxrqla._file
Verdict:
malicious
Similar samples:
01964fca4b4c21a44fe6687cac7280f7f8ee527e9eb0259fef51f954e63a8784
RedLineStealer
2bb3f8f4fd9426b25ba8ecb2636114cb322920f2921bd026ae1993f0279852f6
RedLineStealer
33d9b9f05bae370e7003a3ac885b1439ce19eae1313d2ef7fa8484c92f6ec831
RedLineStealer
49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0
RedLineStealer
a440dc1fa969ed60fa4ca88d02c6d6748049684de038f5264b23c6ee4a5a991e
RedLineStealer
ad68078b09e38ac511f58bbd2a8cb9242e8415ae6fca7fc44daed1957f4be6ed
RedLineStealer
baee2df2edbc11e49528f1949fe0d56bfbdfb8c3bb6bc5001fe51b97987f517f
RedLineStealer
da030cef1bc08dfb6a6da58b884827b41be987d7b274d65b23bebfe7adee4e79
RedLineStealer
ef9c333d991d81cd06738ae618dcd6844da8a119621d8d71a2b05f45005a6437
RedLineStealer
f6178a5499c6c8a5c24a0c6ab921859725862ddae64ba2de3c94857c116e77b7
RedLineStealer
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/230513-2m83xsbh5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Windows security modification
Modifies Windows Defender Real-time Protection settings
Gathering data
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/035c9bb80108/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388961/

Comments