MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
SHA3-384 hash: 67e1158c2e24e87b1cb06050cbecb340372e043279031f4b98def2e8d112139c33af0e98720877f8dd56484926f41096
SHA1 hash: 39a45f5aefb163427aa29ffcbdf130017cd52e62
MD5 hash: b7bb700e5a7a0c61fb93590366fe6ab9
humanhash: wyoming-robert-winter-missouri
File name:b7bb700e5a7a0c61fb93590366fe6ab9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:286'208 bytes
First seen:2023-02-14 18:39:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81b62a0be155aced9a744e6e96a19e1b (18 x Smoke Loader, 9 x RedLineStealer, 2 x TeamBot)
ssdeep 6144:61L4BI9E+Sy5830JNHYnFpbpzMp63k7cqFQ3RIaE:61sx+X2sNobzm7k3RIj
TLSH T19F54F1323AF1C032D1A385B19460F65069BFBC7267A0859732782E2F2E716D19E7E357
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3070606070626260 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f0229acbb0eed3c6bc421f91820515ac.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 10:43:16 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/dd55fd53-db1e-4097-ac31-c9537398b47d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365999/
Detection(s):
Sanesecurity.Malware.28830.BadO.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63ebd58419bdad8346374504/reports/639912e2-8468-4ad1-a77c-6825de8e8f99/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82ca9f8c-9f3b-4aaa-b900-3c64199796df
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1175408
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 07:06:05 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=culpyj2ywqe4pvjqajtfzcenmkweqhmjm6puoogh2bomm4w6ggpa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:romik infostealer
Link:
https://tria.ge/reports/230214-xa7xwafd34/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.12:4132
Unpacked files
SH256 hash:
6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38
MD5 hash:
5a5d7c502c8de78f62818cd74dc3fad9
SHA1 hash:
f6a32259e84173fa3e674287fed9f7682d91ed00
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f13352e1-a6fa-4a65-83fa-09ad35ab7277/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b
MD5 hash:
285e4cae921c512fec71492eaafc27c4
SHA1 hash:
7a1022b0ec66c57a216bd0f842906917e7851130
Link:
https://www.unpac.me/results/f13352e1-a6fa-4a65-83fa-09ad35ab7277/
SH256 hash:
50f3bb777aae6492f16cae37defbde1ad701744d09ce494cb81411ab99843ae8
MD5 hash:
3c7daf17f32e25bdfe12191773e5aa0a
SHA1 hash:
750c7926225355ad815cd3325f7abf3d369f9cac
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f13352e1-a6fa-4a65-83fa-09ad35ab7277/
Parent samples :
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
SH256 hash:
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
MD5 hash:
b7bb700e5a7a0c61fb93590366fe6ab9
SHA1 hash:
39a45f5aefb163427aa29ffcbdf130017cd52e62
Link:
https://www.unpac.me/results/f13352e1-a6fa-4a65-83fa-09ad35ab7277/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1516fc2758b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532610/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/365999/

Comments