MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8
SHA3-384 hash: 05564296259d4310427b9f6709cb0cfa1adbaa85847ff004830db3d1a95e351de0453d96f101e289e53ff97f7f6d75b3
SHA1 hash: 2936ecdfc254c232b918b5b87698000063b42332
MD5 hash: 6aef50562e3b2a5b93ba4b8a5c349814
humanhash: high-tennis-cat-twelve
File name:6aef50562e3b2a5b93ba4b8a5c349814.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'864'088 bytes
First seen:2023-01-30 12:42:14 UTC
Last seen:2023-01-30 12:42:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c119c0b545be0f5d03be66ae71633b8 (2 x Arechclient2, 2 x RedLineStealer)
ssdeep 49152:IgvCZ3NZtPGqLq4dRX5pRjUMgc7JLN6E206W5kDg866lbkFjNnAMs1assprgpqog:xvChPtuIBDR77NN6/095Mg866qAMsrsm
TLSH T193D5CEC09065C67EE76E5F33B4799A08113F2E13AB96F06FD0AEF486A1F9D482C145C6
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e8f0cc544de8f0f8 (2 x Arechclient2, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:www.indeed.com
Issuer:www.indeed.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-29T21:12:09Z
Valid to:2024-01-29T21:32:09Z
Serial number: 15eab04446b5488847cd12d7c55374ab
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a201382091cc8d0c13357faf5e030f9bbb899c5733e597ebc599c686c9560801
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6aef50562e3b2a5b93ba4b8a5c349814.exe
Verdict:
No threats detected
Analysis date:
2023-01-30 12:48:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e618851c-8795-4307-b571-fb61d39d1f36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358296/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63d7bb57696b2d972574e779/reports/00f9b28d-2bf1-44e7-bb30-8d2af9431ec7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c6525038-c2f9-4752-b647-9f14433a2d84
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1161687
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794440 Sample: 3jp0wWDK7I.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 84 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected RedLine Stealer 2->29 31 Machine Learning detection for sample 2->31 7 3jp0wWDK7I.exe 3 2->7         started        11 tofojet.exe 2->11         started        process3 file4 23 C:\ProgramData\fayavo\tofojet.exe, PE32 7->23 dropped 33 Detected unpacking (changes PE section rights) 7->33 35 Self deletion via cmd or bat file 7->35 37 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->37 13 cmd.exe 1 7->13         started        16 tofojet.exe 7->16         started        signatures5 process6 signatures7 39 Uses ping.exe to sleep 13->39 41 Uses ping.exe to check the status of other devices and networks 13->41 18 PING.EXE 1 13->18         started        21 conhost.exe 13->21         started        process8 dnsIp9 25 127.0.0.1 unknown unknown 18->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 12:43:09 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpcrum5uigk4fh4x2fg6z5lmhvvaxgxs3nl7cv5iolawkn3khh4a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230130-pxxfnaca5z/
Unpacked files
SH256 hash:
13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8
MD5 hash:
6aef50562e3b2a5b93ba4b8a5c349814
SHA1 hash:
2936ecdfc254c232b918b5b87698000063b42332
Link:
https://www.unpac.me/results/3f6331af-e818-4657-acd4-36bf2f4a773e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2520886/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/358296/

Comments