MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e701945baf319d76eb551ca7870e0f984da636bb0c375059d4d0aadba702c66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e701945baf319d76eb551ca7870e0f984da636bb0c375059d4d0aadba702c66
SHA3-384 hash: 878eedb53a589c8c1cddf3828a41801e1d391dfbedaddcea3092e2d2351ad1bcf3c36ace8e594e179ee1a01632e3cce7
SHA1 hash: 2ec751f4e0f84b6ce0e3375404b888c1b6412957
MD5 hash: 0fc880757c02b8e027be470eb4f77d14
humanhash: orange-fruit-golf-winter
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'976'496 bytes
First seen:2022-09-08 07:23:28 UTC
Last seen:2022-09-10 16:05:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:zWbRPTMybiPZj9Le2khNgpihy1ovXap0kdNIOGVqJRZgDnWI+EUYmUj:zF/9oOQMOXapPK2+3+EU4j
Threatray 220 similar samples on MalwareBazaar
TLSH T1093601A632D4B055D3D58837C837EE7071BFDD2A4B42A8BAA9C97DC629331F4E212543
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon e88e236d6d238ee8 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎
Issuer:☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎
Algorithm:sha1WithRSAEncryption
Valid from:2022-09-06T11:02:11Z
Valid to:2032-09-07T11:02:11Z
Serial number: 155de4c675120fbc49766d3d8fdd67d4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8efbe20233e0d44c07073da114c2badcd4fd18c7b922c6ebef1f944a93429499
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc523958404_646005058?hash=zNrMpNLlpLa6QQyOMDNFEzxON8IpdpVZ8r4sIHgxedD&dl=GUZDGOJVHA2DANA:1662543773:zcZzMPm6RTcJYg48hdYikHfpzxXBbfLnTQEa5bRlYNL&api=1&no_preview=1#orig300us

Intelligence

File Origin
# of uploads :
9
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-08 07:23:53 UTC
Tags:
redline
Link:
https://app.any.run/tasks/3271c68f-bbde-4de9-819e-4be25c18b5c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308661/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.8546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/63199895d836d6918483bacb/reports/db780b4b-9c14-45e1-be6f-f67064ffed24/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7232ac50-2acc-4137-a7d9-074348ec6dd6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1066925
Signature
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e701945baf319d76eb551ca7870e0f984da636bb0c375059d4d0aadba702c66/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 07:24:12 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzybsrn26mm5o3vvkhfhq4ha7gcnuy3lwdbxkbm5jufk3otqfrta._file
Verdict:
malicious
Similar samples:
334cb64aa73b057c4ee603a2268a82fc26ac07217f1f62c6602dff6c90823574
RedLineStealer
34236af748c61f176365a8f5c10b40c7994767398565f5b786591608d8bad0b6
RedLineStealer
a0d18375b944c31bdbe13a20fd82c34b02f5e1c64a007e26abdcf45dedc5f411
RedLineStealer
a0f70f88c9a376e7c0f7e508c796bf1dbbf58ff8b172b9aff3421be63e2d7f78
RedLineStealer
a9eb984c9de2d2d061babaaec8c15a04895af2cc0653d044f7092ba73013da5b
RedLineStealer
b4475836595207c786fb1bb658776b19a668e1ff8aff9f688f9fa18c20d93924
RedLineStealer
ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf
RedLineStealer
eb0b227655cb6d2bf32e98562f1abb246b6490ba279c10bc6d33f59324be305b
RedLineStealer
f2868e62bd867e2032e3d749b9934e39919d1e8d0883e9c399af4e2130f6807a
RedLineStealer
+ 210 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/220908-h8cr3adhg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
RedLine
RedLine payload
Unpacked files
SH256 hash:
316975069b3b39bd6057d473a08143a3e87e3905c0a6166a84b6a333d5d9743a
MD5 hash:
20504a82aa93a4b64dfeee31c7712df2
SHA1 hash:
eba49ca2f0d959fffaaef0e3c8cc34d6ef2ca114
Link:
https://www.unpac.me/results/61d8c4c4-440f-4098-936a-db5ed084b967/
SH256 hash:
5acf4bd6a640dc02bb9dbd5268cad9dbf00777bae79fd1eb8e0dbc5a48fb9fbe
MD5 hash:
7d24df6c149aaf8e2a58c2a2df9142a7
SHA1 hash:
49352b4764d3cfaa183c8e06f6f9367375ee53e4
Link:
https://www.unpac.me/results/61d8c4c4-440f-4098-936a-db5ed084b967/
SH256 hash:
0e701945baf319d76eb551ca7870e0f984da636bb0c375059d4d0aadba702c66
MD5 hash:
0fc880757c02b8e027be470eb4f77d14
SHA1 hash:
2ec751f4e0f84b6ce0e3375404b888c1b6412957
Link:
https://www.unpac.me/results/61d8c4c4-440f-4098-936a-db5ed084b967/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e701945baf3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0e701945baf319d76eb551ca7870e0f984da636bb0c375059d4d0aadba702c66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308661/

Comments