MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746
SHA3-384 hash: c946f6a9d14a9a40e534c6c8457e424dc56642232054c443c4ce9d7a0eec139eedaeb4ac33a252c579900187397b2d53
SHA1 hash: 6bb3e0a8faf26648a9fb34a8d2695505ca6a1a1f
MD5 hash: f95f0f0440c1f4e6fe9aee332dcefad7
humanhash: uncle-april-connecticut-princess
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'079'616 bytes
First seen:2024-06-05 14:04:50 UTC
Last seen:2024-06-05 14:28:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:PTdLW9wHqpUje14fK5QrqlMXIhQHutkjyJ4vmVMLKx+IBkYn+t0LqhAf2lwafnu7:PTdLW9wHqpUje14fK5QrqlMXIhQHutko
Threatray 1'743 similar samples on MalwareBazaar
TLSH T19B167C0076E56975C58E83B6C2E256300772FD225B51DB1F316CF67DAA223728DC23BA
TrID 44.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c0e0c0a8cefbbc8c (1 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: https://vk.com/doc461844031_680134883?hash=v5F9pZ9QrFLodi2gGKdspZMtZGwIO3vc700qoybzovg&dl=zDvig3P0bJgC46VGyZNF2fisOe5lZkj06ntDOpH1E3s&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
2
# of downloads :
377
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746.exe
Verdict:
Malicious activity
Analysis date:
2024-06-05 14:05:14 UTC
Tags:
stealer meta metastealer redline
Link:
https://app.any.run/tasks/19dad6bc-26ab-44bd-b0a2-e47d2a9bd6b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66608870a29d07c94ae5f719win7simulatehigh_evasion
Tags:
Generic Static Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
agenttesla dotnet lolbin msiexec net_reactor packed packed vbnet
Link:
https://www.filescan.io/uploads/66607090eae3878d8f3810a0/reports/2aadcc9c-2470-466c-9429-f2b772954a50/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff2c885a-127e-4108-bcb2-5370158ebe19
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1452397
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-06-05 14:05:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
68
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=diagproyeyxi3uxnyctrozjla3ewnhhhezp6izlyxla4zvdjq5da._file
Verdict:
suspicious
Similar samples:
3835fe3e13b67d406cc7c1412098bbf2fcb28371c6628539ddf46d98aa716ef2
RedLineStealer
665257d2e600180970af272d6ec682ec1a42959de375813a3f358efce8f2458c
RedLineStealer
7d06266d2ba7653d4ea295fa3e1df7a89b3194735e3cc3b5cd2964a3f4d1f730
RedLineStealer
8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
RedLineStealer
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2
RedLineStealer
+ 1'733 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) infostealer spyware
Link:
https://tria.ge/reports/240605-rdtxjaab22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
5.42.65.63:14707
Unpacked files
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/f954c9af-90f5-4f5c-ae7f-4099d396cfa9/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
da895763a22479e2e41e25ee48764960a9db25956c9e7e8b7680e29c23541cb0
MD5 hash:
41faf8938d2fcc7b037835aff3cf6069
SHA1 hash:
835a23b7b260f321a2022226d7c293ee5ceb4e6a
Link:
https://www.unpac.me/results/f954c9af-90f5-4f5c-ae7f-4099d396cfa9/
SH256 hash:
f2187917f7e2c764467787dbe25c4e52d646c31c5eaa76b8b430ded9e75c0063
MD5 hash:
2b266b9142176428dd6422adf5a5a104
SHA1 hash:
21f84a7be892fc72dd41f551daae03d583c146f4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f954c9af-90f5-4f5c-ae7f-4099d396cfa9/
Parent samples :
2a1c24a9ffbd4b15e8bdb6f46dae51dd4c346288e31d6c992619ac962198bb10
1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746
1d51dd6aea9c715dbf6e6192de555d8534efa5aa4d58d0d0331a2d6cd1002b48
f2187917f7e2c764467787dbe25c4e52d646c31c5eaa76b8b430ded9e75c0063
f68e7282ed7df9a76ec492e06330c4ba4a1faf5a357795b41ab2c0743955d364
bfad83fe5b7277309e29ae2c92258a9df03d0a4318f39ef588de9036fa316f6f
31fc62e038bb1e7ea1453990c19f857f3f617cbaf0a3c2489583e61cc38dfd35
00b1ea6a2a6a6cc82331e94e37af46027fbfdb340ed465d5d01d136b6f777240
SH256 hash:
c86d9befba1cac118d1aaff010da785d2105d873dd22159def94167c54e4b3c7
MD5 hash:
700c618b6e713e7e11fe605031554e3c
SHA1 hash:
3b303e6f3a8885040c335775d00186fe5c59faeb
Link:
https://www.unpac.me/results/f954c9af-90f5-4f5c-ae7f-4099d396cfa9/
SH256 hash:
1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746
MD5 hash:
f95f0f0440c1f4e6fe9aee332dcefad7
SHA1 hash:
6bb3e0a8faf26648a9fb34a8d2695505ca6a1a1f
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/f954c9af-90f5-4f5c-ae7f-4099d396cfa9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a0067c5d826/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1a0067c5d8262e8dd2edc0a717652b06c9669ce7265fe46578bac1ccd4698746

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments