MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727
SHA3-384 hash: ce57d00d0293b1e2b304c6b4bd233c46b860e7014186320aabf5a2d7437896d11c541bda9de5c36e5e278cb2f0f5cc7c
SHA1 hash: 65ecaa20ea916ee8c78aa60b24d10e65c53f26a2
MD5 hash: e78c12a4bd00e94b07db805c153985cf
humanhash: oscar-nitrogen-green-edward
File name:e78c12a4bd00e94b07db805c153985cf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:710'656 bytes
First seen:2021-11-06 10:24:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e173696583a7b3ed6093e8dbbe166b2e (2 x RedLineStealer)
ssdeep 12288:L2Mpu4k5VXh7+07NpkCebo/NzEZhw0jTC85FMXGZc2rpmGvmuHBX:/pm/407NpXe8hYfjTC8SqcMpvbHBX
Threatray 16 similar samples on MalwareBazaar
TLSH T153E423E7BB04DD54C11A12B08253FA3D6478BEFA9EE17682149EBC2F5CB836195073B1
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202883/
Detection(s):
PUA.Win.Packer.AsprotectSke-3
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/61865801d8143ea269cd10c9/reports/419ad197-ef8d-4851-9d4c-d559b3ed7232/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c37f9fed-3eac-4caa-a565-b1e23f41b1e3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/884474
Signature
Found detection on Joe Sandbox Cloud Basic with higher score
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-06 09:09:22 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csaa3wihezy3qgpj6wjsy2s2c6wn7liy7wokcuctq645kln7g4tq._file
Verdict:
malicious
Similar samples:
57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f
RedLineStealer
57fb9f191f910890da8143e222ed68a876620f84444a5679fbbed4eecec1cc7e
RedLineStealer
72660328d491a37b99ae219252eccab4dfd568329fbb72e512167b239ba2c190
RedLineStealer
8649bf155fb76f11ccb64ada34b2bef81949839df4ed543c306c3d28e655b2bf
RedLineStealer
8a827b33a6823c74252084c533038059806d6599961f17c36668e5336510e1fd
RedLineStealer
afe57674c53de398de18be61175e7cf55447e9c57cd3b4c82b035a9d65ec86f3
RedLineStealer
bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3
RedLineStealer
d06d675add136cc82c55c68166df534afa018e9f1ae333a9a75cacc1ec66d9d3
RedLineStealer
f066f830f62f469a36d49b22554dfd186c0d131a3ad924df108262f87b2346ab
RedLineStealer
+ 6 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix world discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211106-mfy7taebd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.216.43.58:40566
Unpacked files
SH256 hash:
2e40a85ee200543e2c7dbb816ee68eb811a66f82514753be2e6b2c4db17ab75d
MD5 hash:
3b80ee406d103970fada2fea0adcd07c
SHA1 hash:
49687092cb7e952a4373365a78810aa31c09aa0d
Link:
https://www.unpac.me/results/fd629d38-fe6b-49b4-98c0-eb74fe68835a/
SH256 hash:
a9fe0d9e9d1348f7c5bb6387af7191c15a94ee805792528defb7cce06828656e
MD5 hash:
f17c20feee58225a78d0bad0db0c1493
SHA1 hash:
2813988f3f527daf7e900fe49330c7452361c308
Link:
https://www.unpac.me/results/fd629d38-fe6b-49b4-98c0-eb74fe68835a/
SH256 hash:
1755143f3be34c7c835fed406dd677e55c135b01935601ee8828b884e15442bf
MD5 hash:
ccfe0f3b556bc0b9bb9793e06b81babe
SHA1 hash:
540a7665412cd27cc895bf3c690506cd9d944a3a
Link:
https://www.unpac.me/results/fd629d38-fe6b-49b4-98c0-eb74fe68835a/
SH256 hash:
14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727
MD5 hash:
e78c12a4bd00e94b07db805c153985cf
SHA1 hash:
65ecaa20ea916ee8c78aa60b24d10e65c53f26a2
Link:
https://www.unpac.me/results/fd629d38-fe6b-49b4-98c0-eb74fe68835a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/14800dd90726/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 14800dd9072671b819e9f5932c6a5a17acdfad18fd9ca1505387b9d52dbf3727

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/202883/
  
URLhaus
https://urlhaus.abuse.ch/url/1757020/
  
Delivery method
Distributed via web download

Comments