MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA3-384 hash: 19fac1bfbbf3f8963cf3dabd3c93e0a6a08c8e3312b48d67f84f28461b82c3bc1667a8a6765a43a8e33eee97e3dc1071
SHA1 hash: 44fb399a95aaddd99270fe73a8705f53c0f73b72
MD5 hash: 46a22f0849344f152364d921c3c28435
humanhash: michigan-potato-summer-four
File name:SecuriteInfo.com.Win32.SpywareX-gen.27732.11537
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'757'184 bytes
First seen:2023-10-03 22:32:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0019c5cc9dc02122ed11385f5bfdf094 (4 x RedLineStealer, 2 x MysticStealer, 1 x Backdoor.TeamViewer)
ssdeep 24576:WwzT5gWn2HsJRx/6a9DhvhSCPhwtzZc7m6fgA7:dx/6a3vtqtu7m6
Threatray 349 similar samples on MalwareBazaar
TLSH T1EE850C41EFF95B89F6F35FB856BAA611087ABC6ADB11C2DF1261504E0821BD0C970B37
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://github.com/abamo12466/alexandro/raw/main/Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-10-03 19:23:46 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/4581856f-52d7-4cb7-af97-13646111dd08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.27732.11537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/651c9664a31588d184f00799/reports/3dee81a0-dab4-4c7a-8fc4-4d1450415704/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40efa59f-1243-4744-b613-4ef1066c9cd5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1319075
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 20:26:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cba77j76cekhxstfpr7zwwfxnjr7von63ua6g5zg46s7tx3sv3ja._file
Verdict:
malicious
Similar samples:
48eb3ec3e2861155e7452daa59c6b022f15c3927bcd482fe15b0827460e58c6c
RedLineStealer
4b0669367c06892e5cb520e4cc0d135c93d3e361bb5e2d638a87bfb6854f1c03
RedLineStealer
4d7e863742ac8167ec9f6d83ade46c04c3d70c802dd1e64721324f52c6afd9a4
RedLineStealer
53adecc01775047c7456f6a02f11ffaa6e9addaf2bbf718c3aef0cbcc2b135aa
RedLineStealer
5b333ffb18361963d4546ef43e7e0bcba46a996bac0fb52d0062d739fe226295
RedLineStealer
a256cdcf68d1a64bdb3db85f88ec27da75a032f338d8740cffcbdf66b85f9d74
RedLineStealer
b8ab78bc455194d9105924f5978ccf726e209947449965c76b11ff740575bcb6
RedLineStealer
ce6b6c8ea7fb50823f78abeb4eca078365869c5d05b973ff55deb121bb696d05
RedLineStealer
d244f5cbe0e5216fd844051da74daea1fda47c288ef2c21c18452de5a40e7524
RedLineStealer
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
RedLineStealer
+ 339 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/231003-2fx23shg28/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
RedLine
RedLine payload
Unpacked files
SH256 hash:
ac261770ed61e6f38077475016b53535cc508268d9f4cde7ffd0aa0f6756ace4
MD5 hash:
7b8a5df6f305a857b9fcb52fc1caed91
SHA1 hash:
990f9d50da25bbcadfbfc872c4691f2245686edf
Link:
https://www.unpac.me/results/f0fe0040-8f40-4e2d-8621-6dd9e7d640ea/
SH256 hash:
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
MD5 hash:
46a22f0849344f152364d921c3c28435
SHA1 hash:
44fb399a95aaddd99270fe73a8705f53c0f73b72
Link:
https://www.unpac.me/results/f0fe0040-8f40-4e2d-8621-6dd9e7d640ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2716205/
  
Delivery method
Distributed via web download

Comments