MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d
SHA3-384 hash:	a89fdf3ae5ab3687917942d7694eeafa0d4989e9e2a8cfd5a91c501a19a845566fd7ec0ce809ae5910e7af0c690e10b7
SHA1 hash:	448ebbb39a2b43f1bddb64f6e6a751bb2bfabed1
MD5 hash:	5cf90a5c703831168b46902608a9e37d
humanhash:	texas-item-butter-tennis
File name:	10480736752FC02E4C2360E1A3066A494C17DB9DB6709.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	189'440 bytes
First seen:	2023-12-14 19:05:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7df1bdeeff2cf1f94a574bfd468d38f9 (5 x RedLineStealer)
ssdeep	3072:Qzf2dFrvBohH6lHI30yevaJpDAAxdF5E6eBlF3NHEbdnUrO7bv1Y:QkCZmvva31E6MXda
TLSH	T191049E0D34D95827D093FF35609898F5895DE53E5BB720A3F6AA26CE4B11BF08936B03
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.75.215.196:443

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://cdn.discordapp.com/attachments/1162771844215083073/1162772507439411363/Installer.zip?ex=653d2749&is=652ab249&hm=cbc6a7e3c55746f296ba468624740bd4684bfb4cf916c58defe1e4afd82c8171&

Verdict:

Malicious activity

Analysis date:

2023-10-15 15:29:04 UTC

Tags:

payload

Link:

https://app.any.run/tasks/bc192b8e-025c-4cf1-bc8a-9e558db59220

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/467498/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

nitol stealer tiny zusy

Link:

https://www.filescan.io/uploads/657b8569b4e856b7281a6442/reports/9d302351-4c09-4f9f-8410-3eff91df83d3/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8997d05-0822-437a-8c19-ed8a46fc9372

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1362342

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-15 15:53:47 UTC

File Type:

PE (Exe)

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cbeaontvf7ac4tbdmdq2gbtkjfgbpw45wzyjwxlgehk7f2pksiwq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5637482599 brand:microsoft discovery infostealer phishing spyware stealer

Link:

https://tria.ge/reports/231214-xr23ysfhgk/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Detected potential entity reuse from brand microsoft.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

8303b8983ed5f1ad8a53d4629c02cebd9c067d1976712c03d80cc4e3846f42ce

MD5 hash:

ee36084695d41b2a997306c3ff332083

SHA1 hash:

2e828257dc559fffea51d7c51a07140ce80aa644

Detections:

redline

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/78d6664b-2c1a-4f58-953d-96ac21e68e95/

Parent samples :

1155b82749364016f6a7232f58f169029706bf61da9e19d97b015eca502e3396
aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b
3ff4f96ffdfc8fc6a6fc58a959d682bc9c1a8f631871217e924d84073c7fe876
10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d
3467893f47bdbaa0fb58975fdce620c2591a2064703f56fab29313afa3fe9cff
297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

SH256 hash:

10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d

MD5 hash:

5cf90a5c703831168b46902608a9e37d

SHA1 hash:

448ebbb39a2b43f1bddb64f6e6a751bb2bfabed1

Link:

https://www.unpac.me/results/78d6664b-2c1a-4f58-953d-96ac21e68e95/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467498/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample