MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56
SHA3-384 hash:	64278adbc1e42bf5700fbc309de27dc4e14d69684c4e4f61720cf76d067fe785d066fbe1016dff41c9ab20e994bec649
SHA1 hash:	57ca5a6d46a594b6ba1b0eaff233f162fe836c16
MD5 hash:	e5c6ea778ea68c873d067e4dd4ea160a
humanhash:	bulldog-violet-south-nevada
File name:	13_1647960020_5631.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'250'288 bytes
First seen:	2022-03-25 07:01:41 UTC
Last seen:	2024-07-24 12:02:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c6bd17b135d613a584e5fd8380def091 (1 x RedLineStealer)
ssdeep	24576:P6xyLps2uuWQ6dqiEogsZwyn9D6dpRcPJW3eacx9:P6xyLpsnuAfEo5zn8d3cPaeacx9
Threatray	1'181 similar samples on MalwareBazaar
TLSH	T19E4533A2DBFC7439C02D70FAB423EA9561E4F1E6F5CE874B434A963C91309229D4A05F
File icon (PE):
dhash icon	70f0f3e5e2d2da64 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/257521/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48694953.24225.1198.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Query of malicious DNS domain

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623d692d1f2042394827427d/reports/feae4ae8-1f65-4670-99d3-0e62fbe54162/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1bb3d100-d8cc-4d8a-8f8e-bf63d0a6b20a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/964388

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56/

Threat name:

Win32.Backdoor.Pandora

Status:

Malicious

First seen:

2022-03-23 02:38:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead

RedLineStealer

2cd47825cf3ef955e1d947e5a4a3099ec20829cb3fa8768865097eb182d44e59

RedLineStealer

2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527

RedLineStealer

5a37e85ddf1b693cb2e938710a4fc0cea30062eb784ad5b8cecd0d1170d5da6f

RedLineStealer

78cf79c5cc5ffb37dfae1c6b177281c793767c6bdcbb8062ccedd0547c89b8e2

RedLineStealer

80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de

RedLineStealer

bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b

RedLineStealer

+ 1'171 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/220325-htvz4afham/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

RedLine

RedLine Payload

Unpacked files

SH256 hash:

8f9124a7be17491e6914c536c77d1d0757dff17721ada94663efe7775270c81c

MD5 hash:

a4f3dbdf169c2314b42457c995c13ff1

SHA1 hash:

4b261628dedd2d605f8a3740c0bb9eb9f23b7ce1

Link:

https://www.unpac.me/results/11f10c4f-cfcc-4eb9-9eb5-4cf3675a5e38/

SH256 hash:

200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56

MD5 hash:

e5c6ea778ea68c873d067e4dd4ea160a

SHA1 hash:

57ca5a6d46a594b6ba1b0eaff233f162fe836c16

Link:

https://www.unpac.me/results/11f10c4f-cfcc-4eb9-9eb5-4cf3675a5e38/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/257521/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample