MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4
SHA3-384 hash: c2783e7e008795bfb11d015627082a16b7cf215bd8d630f7d9951ea3c48c8e57e32b28c25ae4819beb7245c2de052558
SHA1 hash: 9759235aab390a562479eb69b8ec99926b5e27e9
MD5 hash: bf05ea353d661fb790d386660b909a50
humanhash: nebraska-twenty-kansas-may
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'226'240 bytes
First seen:2023-10-13 10:10:07 UTC
Last seen:2023-10-13 19:15:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b0aa150c770a62666d246af48611e04 (7 x RedLineStealer, 1 x LummaStealer, 1 x Amadey)
ssdeep 12288:u43UZuZNnpsxE7UOtPHwWOnnnP0xfp5+boc/YPMQyqut8lZBRe71ahfgIBiHafcB:gipsxE7UOtPH9/xx5n02fNDMaftv2Y
Threatray 886 similar samples on MalwareBazaar
TLSH T16D459E2038C191F5EDE210F747ECB92682AED0B017161EDB86D947EFFB106E57A325A1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
32
# of downloads :
327
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-13 10:11:44 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/631f32b8-5a2a-4adf-b156-91ecca1ec0bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454090/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5527.21474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652917b7a29a700213a15e26/reports/45284c31-39ea-43e9-b739-39ea8c625134/overview
Verdict:
Malicious
Labled as:
TrojanSpy/Stealer.fk
Link:
https://www.hybrid-analysis.com/sample/0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a4348de-dc25-4944-a832-189fcb00c9f2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325208
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 10:11:06 UTC
File Type:
PE (Exe)
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byxlfd7brwweudmntbhorqprnviawslz3rlzig7ogm3kykzddtka._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
RedLineStealer
3b9ef2faa5c5296d0a5726f5281917174863a1b508d990614c217680756bc13e
RedLineStealer
8e9770db582fc850ceb383a1ca4ea5b0bc735fff5a78e3c3ae7ef2586c13b6e2
RedLineStealer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
RedLineStealer
a8bfc39a6a66618b85358ed2a18335999503725cd12ff0651110a01a20fbbfb3
RedLineStealer
b845d0fcdba96d43d571a8a8500c9f2db33cd9f8bf03dc75f7a36a97d35ccac7
RedLineStealer
c0c2972d24da63cb3842d3a17c54652e5992c4f249556f90960a002e7aa9ef0b
RedLineStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RedLineStealer
cea3ee8938e05ad1e79dc4a6efa59c72b65415cfdb3b3cee9bbd0298d44ef824
RedLineStealer
e44e855351c4f1d3288ce0f27dee291c988aeecab3d15a690f9fa6fe10f1c56a
RedLineStealer
+ 876 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:unique285 infostealer spyware
Link:
https://tria.ge/reports/231013-l7xydsgd6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
8dd24991559eee64a400a8d99df5a92961f82551b0c4da3cb3af85bbc6ac6b49
MD5 hash:
793cc27088e8f4668000978f3c79f210
SHA1 hash:
7c8d36418718913daaca6eec0711f2dca9542a58
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/851e4962-ff9c-4c46-8382-20d7fb679658/
Parent samples :
79f97ade11408fff0371a3a995a783c35b19a026b7513c577f2eea4eebfef79c
78021d077fab98faec6d33eeaba4db8065c0ed42bd318a54fcac145dbe0585dc
188b8da8db2bdac352d6cc04b0970dfc438f8ec6e57c12b4d4d91cb95bedd88a
0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4
SH256 hash:
0e2eb28fe18dac4a0d8d984ee8c1f16d500b4979dc57941bee3336ac2b231cd4
MD5 hash:
bf05ea353d661fb790d386660b909a50
SHA1 hash:
9759235aab390a562479eb69b8ec99926b5e27e9
Link:
https://www.unpac.me/results/851e4962-ff9c-4c46-8382-20d7fb679658/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e2eb28fe18d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/454090/
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/

Comments