MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a
SHA3-384 hash: 202e46f33a633856fb90f6edd84023b24eb41404e9dba1e8ef3e4f5506e183fbc47399e4e9c6214cfa0856682412aa6f
SHA1 hash: 9b01ef80b85f2b85809241982f6230f81f334bab
MD5 hash: 285662841d038f5cb5e132824568bd65
humanhash: triple-fruit-sad-muppet
File name:285662841d038f5cb5e132824568bd65.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'406'464 bytes
First seen:2023-03-05 06:46:15 UTC
Last seen:2023-03-05 08:27:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ed70d493c31fe7e849b88ee21606c62 (3 x RedLineStealer, 1 x DCRat, 1 x Babuk)
ssdeep 12288:zce1P0PcCvAJQa2MfKHO0Oa/EXGRpWVyU4cbknRh:zce1HSACW30F3H+sP
Threatray 3 similar samples on MalwareBazaar
TLSH T12955E060B4D2C072D57302310AE4D7B59A3EBD100B6A99EF6BD90F7E0F34790DA7265A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:bin exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
285662841d038f5cb5e132824568bd65.bin
Verdict:
Malicious activity
Analysis date:
2023-03-05 06:47:04 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/a886f00e-c8b0-42b0-9403-bf46209f0323

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371684/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12184.31125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Reading critical registry keys
Creating a file
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64043ae8bfec0852a68f4be0/reports/91181ff9-8931-40a7-b23c-c456a82d3af4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b516ea8b-16ae-4d71-870f-ad3019d0fca9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187287
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-03-05 06:48:08 UTC
File Type:
PE (Exe)
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4rdaollvvle2z2v2optm66kvbbf5duorldpsf2edx2cf3uzg5na._file
Verdict:
malicious
Similar samples:
505305c24cced11623e247100c1ac6beb3e738470d56a4d2eee116b6b884cbff
RedLineStealer
bde7460d3722147c96f86d77a16bb308e452d127f1cddf2c0f8f722aa68450b3
RedLineStealer
cdf2c7d2460732ca3cd40e473f1eaaaa668ca915841d34914d5aa231942e9728
RedLineStealer
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware
Link:
https://tria.ge/reports/230305-hj7wxafc9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unpacked files
SH256 hash:
6f8da25a4f290c7beab401a43cf4843701bf55815985eb9aadfa2da00aeb3bd3
MD5 hash:
043223813448f553f760297b30bf9dff
SHA1 hash:
ca030a4e56b2f50a67d47ee1aacc1b7b74029cf4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8a2d2877-cde6-44a4-961a-0b691953312b/
Parent samples :
172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a
2f2b97ab77736a86eeb79599be1137c99befab80ba2d1af6a19a9f5ee664fecc
SH256 hash:
172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a
MD5 hash:
285662841d038f5cb5e132824568bd65
SHA1 hash:
9b01ef80b85f2b85809241982f6230f81f334bab
Link:
https://www.unpac.me/results/8a2d2877-cde6-44a4-961a-0b691953312b/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/172230396bad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/172230396bad564d6755d39f367bcaa8425e8e8e8ac6f917441df422ee99375a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371684/

Comments