MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2
SHA3-384 hash: 3ab6fab85dffd3d03fd0a1bd93bbacb32287d2ea7c4493c8578b2dd7a547228fa7282b1d4d427e3769768d7892320184
SHA1 hash: 85019bcb03361e144e5787d6fce0395574eee333
MD5 hash: 3c38e0b852a855930027b18bb540e435
humanhash: undress-river-bravo-georgia
File name:3c38e0b852a855930027b18bb540e435.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:19'623'570 bytes
First seen:2023-12-06 00:35:15 UTC
Last seen:2023-12-06 02:21:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep 393216:Umw/uU2gacJwe6ZElIlTFGw0CKM8FZPG6IOyS/Uv/PhHL:UmwGW2r8ITFGCkFOe0r
Threatray 78 similar samples on MalwareBazaar
TLSH T1C3171223A0D92031FD731A36A8A264633D3E4ADCE4CB285528F45BE3F972C496F57752
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 409064e290a9d1e2 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.19.175.96:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
378
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://cdn.discordapp.com/attachments/1178168074499801122/1179411874022961152/Installer.zip?ex=6579afe7&is=65673ae7&hm=0ab0e4c2c5eb60c8444afe502b8b4461705ed798c24704be0e884025fb0cdfe6&
Verdict:
Malicious activity
Analysis date:
2023-11-29 18:38:50 UTC
Tags:
payload stealer redline
Link:
https://app.any.run/tasks/b4a7e1ae-8fad-40a3-b6f0-607f7d23b3ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.XQBWGS.30613.21323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656fc1fc18cffa73b1db4b9d/reports/f01f5248-4b86-4083-acd8-99a9489b11e5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2a65ac7-d070-4a90-897a-ab1795e3fd85
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1354322
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354322 Sample: ZdO7xCPaWq.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 64 18 imagefilestorage.top 2->18 22 Multi AV Scanner detection for domain / URL 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 9 ZdO7xCPaWq.exe 2->9         started        signatures3 process4 process5 11 javaw.exe 23 9->11         started        dnsIp6 20 imagefilestorage.top 104.21.27.51, 443, 49732 CLOUDFLARENETUS United States 11->20 14 icacls.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started       
Score:
16%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 18:17:42 UTC
File Type:
PE (Exe)
Extracted files:
6485
AV detection:
14 of 22 (63.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djdonyzardimpejetrcjsam222grhsg6olzldi3mxcs3wrxjytza._file
Verdict:
malicious
Similar samples:
1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2
RedLineStealer
af0c48ca1ed3431b936d489bf1e8255a5d4182bd6164946bd6179ae3f212d0b1
RedLineStealer
d2df430d281ad78bc0690d63df9896fe195e2df53f2e9182c6f459094f70aa45
RedLineStealer
df4138a66646a5635fcb28efd5b0e7a8df86a67b77e9105516b83cca0233c34a
RedLineStealer
e62bf7ac957d0adf76ee5a050299b27473e7096abcafc4f2c42590aaf197462b
RedLineStealer
ed4754164c55dd618ebd2de2946b0e6a04086e138eb5547279df582a197616e3
RedLineStealer
ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee
RedLineStealer
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231206-axxzvshd86/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies file permissions
Unpacked files
SH256 hash:
1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2
MD5 hash:
3c38e0b852a855930027b18bb540e435
SHA1 hash:
85019bcb03361e144e5787d6fce0395574eee333
Link:
https://www.unpac.me/results/6ce7c01f-a618-4c9a-9d9b-74caebe29211/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a46e6e32088d0c791249c4499019ad68d13c8de72f2b1a36cb8a5bb46e9c4f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MinGWGCC3x
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments