MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe
SHA3-384 hash: cc62eced133f4e911bda0c049fc34c8661e0f6040284e4ba1d96738eb52fb08c98876c68e45dcfee61f288703c10c70f
SHA1 hash: 59d09b0ce8700fd54f810ec2fd447a2f6043a7ee
MD5 hash: 51a8a7550d6491f1622e441591731e79
humanhash: yankee-lima-artist-mobile
File name:SecuriteInfo.com.Win32.CrypterX-gen.6166.21226
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:952'320 bytes
First seen:2023-09-13 18:32:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35646f486d46399590ccfc4635584429 (28 x RedLineStealer, 5 x MysticStealer, 3 x Smoke Loader)
ssdeep 24576:WiuBtZpNBDjl0X/O6jieSxtl8FfpyQtT48AsOs:FuBfpNJj2/X2egy34Q
Threatray 20 similar samples on MalwareBazaar
TLSH T17C150241B9C480B2EB73413249F4DAF8257EF4A4C32298EB37D50F5E5DA46D1E6307AA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.6166.21226
Verdict:
Malicious activity
Analysis date:
2023-09-13 18:33:52 UTC
Tags:
stealer redline stealc
Link:
https://app.any.run/tasks/5799aa3c-a9ff-409d-aabf-a35de8330e91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448474/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.6166.21226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/6502005e25e2ece4df6d05c8/reports/9170050e-969a-4568-932f-887f90cf547d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca65ab2b-2d08-41f2-bff1-338ff74f43c3
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307922
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307922 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 57 tse1.mm.bing.net 2->57 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 9 other signatures 2->85 11 SecuriteInfo.com.Win32.CrypterX-gen.6166.21226.exe 1 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 97 Contains functionality to inject code into remote processes 11->97 99 Writes to foreign memory regions 11->99 101 Allocates memory in foreign processes 11->101 103 Injects a PE file into a foreign processes 11->103 18 AppLaunch.exe 1 4 11->18         started        21 conhost.exe 11->21         started        process6 file7 45 C:\Users\user\AppData\Local\...\x0027162.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Local\...\k1782537.exe, PE32 18->47 dropped 23 x0027162.exe 1 4 18->23         started        process8 file9 49 C:\Users\user\AppData\Local\...\x5583446.exe, PE32 23->49 dropped 51 C:\Users\user\AppData\Local\...\j6164559.exe, PE32 23->51 dropped 87 Antivirus detection for dropped file 23->87 89 Multi AV Scanner detection for dropped file 23->89 91 Machine Learning detection for dropped file 23->91 27 x5583446.exe 1 4 23->27         started        31 j6164559.exe 13 23->31         started        signatures10 process11 dnsIp12 53 C:\Users\user\AppData\Local\...\i5777244.exe, PE32 27->53 dropped 55 C:\Users\user\AppData\Local\...\g2859518.exe, PE32 27->55 dropped 105 Antivirus detection for dropped file 27->105 107 Multi AV Scanner detection for dropped file 27->107 109 Machine Learning detection for dropped file 27->109 34 g2859518.exe 1 27->34         started        37 i5777244.exe 4 27->37         started        61 5.42.92.211, 49709, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->61 file13 signatures14 process15 dnsIp16 63 Antivirus detection for dropped file 34->63 65 Multi AV Scanner detection for dropped file 34->65 67 Writes to foreign memory regions 34->67 77 2 other signatures 34->77 40 AppLaunch.exe 9 1 34->40         started        43 conhost.exe 34->43         started        59 77.91.124.82, 19071, 49708 ECOTEL-ASRU Russian Federation 37->59 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->69 71 Machine Learning detection for dropped file 37->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->73 75 Tries to harvest and steal browser information (history, passwords, etc) 37->75 signatures17 process18 signatures19 93 Disable Windows Defender notifications (registry) 40->93 95 Disable Windows Defender real time protection (registry) 40->95
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 18:33:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 21 (90.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqznzxzkid7uygc5u6i7we3ortjn3fhywohmffrr4fhhv6cbns7a._file
Verdict:
malicious
Similar samples:
0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57
RedLineStealer
0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2
RedLineStealer
12fc411362fbf7db2790399c07452564ed99e472ce5da3dbcce6d6ada8171282
RedLineStealer
3ef776a8fd33572a6d5d0225f6d42f9b95ee578ceec903dc0f86e257884efe1a
RedLineStealer
5ed77a8cce4ff2d0a7d3ed0dafdfdfe88b1da2130fa133ba14475cc2cb2b8778
RedLineStealer
945f463cf0dbc25cf7832992b2bc18093e41a52fc68bb40489912522022ed5ce
RedLineStealer
a1d81d22551ba0d1149b5e2e0de18870ac73e90aaf36f6c52ae6edea0d084814
RedLineStealer
bbe39345895cdaa196904e095fc9e5f7075db082d3e507cf5c1f55d4867c515a
RedLineStealer
d9266cfa4497a32587f971e69ce0b99eb3670221af54da5ddbb8b9ab4f49e81c
RedLineStealer
fa6ca34a7b4ca335c3456aeaac237fb2257e820accb5a2f09fcaff5df7035dfb
RedLineStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline botnet:moner dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230913-w66h9aeb6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.82:19071
Unpacked files
SH256 hash:
f0fdcfd3564c64e3565a31d1b4922db94dcfba6420040f462638d4a4c4e726fb
MD5 hash:
8b31a1a6a513a9e9129d92a854e1a1c1
SHA1 hash:
bcd719e4b94d55072421b3f8f5cef29020b7e32c
Link:
https://www.unpac.me/results/a30fd775-59ee-45ea-b033-e41bebd080fd/
SH256 hash:
1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe
MD5 hash:
51a8a7550d6491f1622e441591731e79
SHA1 hash:
59d09b0ce8700fd54f810ec2fd447a2f6043a7ee
Link:
https://www.unpac.me/results/a30fd775-59ee-45ea-b033-e41bebd080fd/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1432dcdf2a40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1432dcdf2a40ff4c185da791fb136e8cd2dd94f8b38ec29631e14e7af8416cbe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711433/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448474/

Comments