MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
SHA3-384 hash: fa004969653a7ad4cd4cc91e3762ddffbae2584a36e9677c7ce08d561874abfd97cbc44673122e2e01b51f3b880424f6
SHA1 hash: 74854bda1aa3e60c3b6f58e8f77882ac7f958486
MD5 hash: 18fd0471029adc5a608cc7c442a97f3a
humanhash: zulu-zebra-two-failed
File name:18fd0471029adc5a608cc7c442a97f3a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'032 bytes
First seen:2024-07-01 01:10:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:MM/FgKFH4ZtKyKtHFrO/ODMruf29AYlxJzZfPkcdeyO9U/PRdygA/g3/FGXIqNPo:MI/FutKyQli/3rtT5zPdeyO9U/PRdygE
TLSH T1847472DDB66076DFC867D462DEA82CA4EA6035BB832F4203912715EDDA4C897DF140F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.228.166.68:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.228.166.68:80 https://threatfox.abuse.ch/ioc/1287610/

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Dropperx-10032561-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66820277bba6ccecd93a04e1win10vpnfull_triage
Tags:
Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a file
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connecting to a non-recommended domain
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Replacing files
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/668202260bf5978c0b13c43f/reports/0d24a9e2-fa61-4b5b-8eea-32cd0218dabe/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dffea4dc-5d53-4891-81cc-f9e5d8bbd305
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464974
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-27 23:40:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2joc5w5ss5rmw42zgrzd3mevvdtvzu2iqjz2l4xmxovnf2m5ygq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@marssellers12 infostealer
Link:
https://tria.ge/reports/240701-bjxyda1gld/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
94.228.166.68:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ed4d74e3-5c5d-4804-b04d-e5b7ffc1df47
Unpacked files
SH256 hash:
1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
MD5 hash:
18fd0471029adc5a608cc7c442a97f3a
SHA1 hash:
74854bda1aa3e60c3b6f58e8f77882ac7f958486
Link:
https://www.unpac.me/results/a8a87517-df7f-480e-987f-459937c0c8c1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e92e176dd94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments