MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6
SHA3-384 hash: c2a687c7c94291a347e319441d2e80caf72b7abf75fedaa1b62bda3c6f3c3790095d2a3e48110cd7e6d5839081055bd9
SHA1 hash: 07700d6a08d889ef0b250c32186bb0ad468c50d5
MD5 hash: 59f5d0fc66c9b1e38636f5f98a17730c
humanhash: florida-pasta-violet-mexico
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'225'480 bytes
First seen:2023-10-11 23:19:36 UTC
Last seen:2023-10-12 06:44:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66025e7bb3415added2b8177bf9bcfbe (17 x RedLineStealer, 8 x MysticStealer, 5 x Amadey)
ssdeep 24576:CgryJRfw5G143SeVjGL1+ptZ8tJqLC+iNQnE:IRfw5G1+jy1WfnE
Threatray 38 similar samples on MalwareBazaar
TLSH T1C5459E20B5944A36EEE631B64AECBB25455DD0A00BB510CF8DDE46DBF6203F37A32D85
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
29
# of downloads :
288
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-11 23:19:55 UTC
Tags:
stealer redline sinkhole
Link:
https://app.any.run/tasks/dfd05391-2974-4ea3-a5d6-024a3df131dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453542/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25170.19751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/65272da4d9aa1327017f8b2c/reports/4cb54ebb-b170-4a4c-89a7-7b9cd3a40274/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f1edc83-e27f-48d8-b3ef-468c1498b8ab
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324237
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-11 23:20:08 UTC
File Type:
PE (Exe)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cx2iev5idrvkahy3ejxjyqph34puu7w472rrywmtku2ueoiix23a._file
Verdict:
unknown
Similar samples:
045b56aeef5b7f2c15defb51012f550ca68838fc78f63b908cb16f9a2f6199df
RedLineStealer
2f5aa6f7ed6f5155d8e1e65f995ea4233d767c90556ca8741240ecae3fcf1ca1
RedLineStealer
3fac06c5350d8d7ea32675c3a0a773019c29af564c938ac3ec33e358552d9c8a
RedLineStealer
6d93efd07aa2e72d68cc0f6bf3caad3ef38f6a831d0b701fb570a24e5f52aa0f
RedLineStealer
703ad067513f52c8839d90c1853392f33c52323ea2b77f15e00c0a9b283c42ef
RedLineStealer
785b94ac5b341ee5bcd4ff6848e71b4806f4b778fff0972b2f32ae2964fc4d8b
RedLineStealer
82c040a4f1335d3d601e7b833ad647dbf8051c12e3a71516315584134c2aff0a
RedLineStealer
d2e59c6bccc7fa58336757261a7491984c630ae701ecb6e76699690ab1a236b5
RedLineStealer
ef88ad09be4e4dc5b7282e212e447f0dde1518768e4172963e5e21170f033767
RedLineStealer
f067fb47e7f40f608f4357390d34f8c5eddce97262aa7c31dab67f1e492faf36
RedLineStealer
+ 28 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:unique28.5 infostealer spyware
Link:
https://tria.ge/reports/231011-3beklsde47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
a6974908eeebd122f4f54d644b672fb1bad6bd2f6adb13299df0d2468eca45ee
MD5 hash:
b5cceab51745f0f9825380cc4f556b46
SHA1 hash:
0203e93e9ee53b7eefee0e0b9e58c159def6b869
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5620e91b-689d-43d6-97f7-5399753dc912/
Parent samples :
f672ba8bf05715a07351bf661588fcc42a13f814b4b6c3c9ea3519d35861a86f
ff62bfb6f7378345178775eb9d7f7cd50945bf1380c6844824b6fb4ea24202ba
0035a48da08f9413c20e69f3c416b25a0ae13cadea2feb9e1f7c7bf49017344b
6fef91fbafe4fa18679140a58021c059f5f16751e45409d3bcb7e15d99b0c234
e074f166319a73c358eccdc9e0478314eb51d144e72de83c602823c8f72b7093
0de770dab4a494bb3d513673e0abd54e0981c59e34d3598937bb69c1ea51c90f
cdddecd9cdc45e16119dd3c20a02e8b164ca9ab59aeee93173c969fb27a45c28
15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6
ef05fd38600ea000815a96a13734c2b0a3143a2f57bf12dd47f587175f6c7b7a
SH256 hash:
15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6
MD5 hash:
59f5d0fc66c9b1e38636f5f98a17730c
SHA1 hash:
07700d6a08d889ef0b250c32186bb0ad468c50d5
Link:
https://www.unpac.me/results/5620e91b-689d-43d6-97f7-5399753dc912/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15f48257a81c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15f48257a81c6aa01f1b226e9c41e7df1f4a7edcfea31c59935535423908beb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/453542/
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/

Comments