MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23
SHA3-384 hash: 9f5a994aa0d4932650355a84ba273cc95ed588575f382db06f56e0fb48bfad0f842ee448459f6b0298dccec47c6dfa40
SHA1 hash: 1c9d7500cae5cc79c4dd9486b74194d4aa7daa8e
MD5 hash: 08c9c2ea3b478032f9dabb8fcdd2ee6d
humanhash: robin-lake-moon-low
File name:08c9c2ea3b478032f9dabb8fcdd2ee6d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'512'336 bytes
First seen:2022-03-21 16:50:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0a11e0271a5c976fa824da23e56b697 (1 x RedLineStealer)
ssdeep 24576:6BNfTo+wwNuOVlCjTZOkQsHxSxxXUCZ0AA1:6jTo+XcZRkxxXUCZ0AA
Threatray 805 similar samples on MalwareBazaar
TLSH T1F9657E76F18AC762C19102351984F5C0FF38F9A720BAB852B94D59F717AFE9990B34C2
File icon (PE):PE icon
dhash icon 68fcc860a4e0c8e4 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253712/
Detection(s):
Win.Malware.Fruw-9938025-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6238ad030cd58dbd92cffd50/reports/a2798f8f-b129-4522-9eaa-8c7a0d7fae04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58386a1f-1841-47fd-b1c5-81463b494aac
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/960988
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23/
Threat name:
Win32.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 03:21:51 UTC
File Type:
PE (Exe)
Extracted files:
111
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5
RedLineStealer
bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b
RedLineStealer
ddf1bac1a33f6668bd6606659c30f6e63d4674fc9b482d0a3d37601a818a67b8
RedLineStealer
e347cd6db9c802638a546510c858928f9e69325d092c937ef3f33497d7d8c844
RedLineStealer
eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae
RedLineStealer
fb3104bd722fc507244ba989afa2ee924f43fbdfd617973ebdf6b8f8f9478ea0
RedLineStealer
+ 795 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/220321-vctrxsheel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
RedLine
RedLine Payload
Unpacked files
SH256 hash:
1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23
MD5 hash:
08c9c2ea3b478032f9dabb8fcdd2ee6d
SHA1 hash:
1c9d7500cae5cc79c4dd9486b74194d4aa7daa8e
Link:
https://www.unpac.me/results/ed5bb90e-571e-44df-8933-e07415f0316f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1ec91641c9501dbfb30954ce79f6bf6592fe12a1aa2339fca6ba302e1ecd8c23

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2109462/
Cape
Cape
https://www.capesandbox.com/analysis/253712/

Comments


Avatar
zbet commented on 2022-03-21 16:50:50 UTC

url : hxxps://altadominiomallorca.fr/O.exe