MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9
SHA3-384 hash: 4ae51d2cd2adc7b8dbeef9fb7a7224376d32168c2ecafafde0685fc6e54a7e47558fe6fa4a6b4397206dc53362e4148f
SHA1 hash: 944ff4b281d0082b89bdfe8fcdb1a5d4a03eca8c
MD5 hash: bddb6d6ce4d658895dd74b7fee47fada
humanhash: shade-cardinal-single-shade
File name:bddb6d6ce4d658895dd74b7fee47fada
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'535'488 bytes
First seen:2022-07-31 14:48:56 UTC
Last seen:2022-07-31 16:03:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:hgxL2LqBClkSQMJzig53shMjYvodMiBvAxX7fty:hcvBClk6ViguMjYvodMiI7ly
Threatray 252 similar samples on MalwareBazaar
TLSH T144655822249EA1DDDF4C74BE85C441A9A3949DEF430F90D2E369373EEA35274FA82507
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74e8daccf8f8ecdc (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295372/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61010707.26883.7693.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.61010707.21875.28035.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Sending a custom TCP request
Creating a window
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e696dac4ff0c95024e541e/reports/89dadf65-1e5c-4e1c-9c64-a8778b43d3f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d36d34d3-6bbe-47cf-aa18-32285d019b53
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043795
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-24 14:17:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crmhpsrasvv6x6xftcxe2swiyy24opwf663mgtlp3ubemshvo34q._file
Verdict:
malicious
Similar samples:
0d680dba51deffe04686d1df8c87de9c6c0310f7060bf4cfb0079a2f25caef10
RedLineStealer
11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e
RedLineStealer
245db4f7a5c9b2ab4c50a3cdaa335ac740f05e84e0ebf9859325669fe23d3ffb
RedLineStealer
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
RedLineStealer
74fcc86067e7881064261379466dd8431c32358aa1ffac63d263ea81312cff0b
RedLineStealer
82c5493e260ceb7ed2ea793862fe1d67f2e7f79b8131928bfba875e8c11a20e3
RedLineStealer
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
RedLineStealer
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
RedLineStealer
c7f59a7678b39f9e6623e0b473f2420c8ba52a924ca70ab2ce849268c289c85a
RedLineStealer
+ 242 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:torrentold discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220731-r6z91shdhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
amrican-sport-live-stream.cc:4581
Unpacked files
SH256 hash:
0cc1d2c60f67829f206f7726ce67a62dee75b2c7c4f68fddb2eed7519c79d818
MD5 hash:
37fee66957d67c78eb8119b31e2e7305
SHA1 hash:
f850ba011b67b939cd6297efbec9c231b0607e10
Link:
https://www.unpac.me/results/2fe23200-54e3-41b7-8738-0ce716792e0b/
SH256 hash:
cf5b72248fba68bc70b9f255185795e0f73065d98dc4ebc3c135c67f7eac3176
MD5 hash:
7fbb0a7d7906452e6cc1d2f82694d6ad
SHA1 hash:
3387a41ec74ae78bf64c1647636f7c434abc4bc7
Link:
https://www.unpac.me/results/2fe23200-54e3-41b7-8738-0ce716792e0b/
SH256 hash:
145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9
MD5 hash:
bddb6d6ce4d658895dd74b7fee47fada
SHA1 hash:
944ff4b281d0082b89bdfe8fcdb1a5d4a03eca8c
Link:
https://www.unpac.me/results/2fe23200-54e3-41b7-8738-0ce716792e0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 145877ca20956bebfae598ae4d4ac8c635c73ec5f7b6c34d6fdd024648f576f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263246/
Cape
Cape
https://www.capesandbox.com/analysis/295372/
  
URLhaus
https://urlhaus.abuse.ch/url/2263266/

Comments


Avatar
zbet commented on 2022-07-31 14:49:03 UTC

url : hxxp://141.98.6.236/1337/Ndivgle-OLD-1.exe