MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23493567b9938ee6b0fe1f75a1761c830d14f7c19628fe57a5823d2378869a2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23493567b9938ee6b0fe1f75a1761c830d14f7c19628fe57a5823d2378869a2a
SHA3-384 hash: 8fc50aa3a07cb33d8419f4391743c701ae510676f561bcc21db0e2f76e18b8902f687f9757f8d6baac028d2ea5744470
SHA1 hash: e360701888abf565eaec2103b8755a035bc37475
MD5 hash: 962efb84a4a419e0a66cacb99ddde77a
humanhash: lion-juliet-east-lemon
File name:windows11assistant.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'393'932 bytes
First seen:2022-04-26 12:08:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75a66337bebedbcd88a6832462d9d3ef (1 x RedLineStealer)
ssdeep 98304:YHsuG9MnPCzk7Mu8i5NZ5UVrgargecJwkihZRK:9/98PCI7h73zOEarfJkUY
Threatray 75 similar samples on MalwareBazaar
TLSH T19746E0A55C57AF42C5DA2B796EC6F470700BE4A4AAF82D09CA3E8FCD03B959D0471D0E
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter ni_fi_701
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266787/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38798582.8139.30297.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Reading critical registry keys
Launching a process
Creating a process with a hidden window
Searching for the window
Delayed reading of the file
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6267e0ed73707978a848f9f7/reports/b4db6508-701f-43e7-ab0b-401b7bd47ab2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/823b056c-88ff-4e2d-8a7c-f3f4d829ad2a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/983222
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23493567b9938ee6b0fe1f75a1761c830d14f7c19628fe57a5823d2378869a2a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-29 07:03:00 UTC
File Type:
PE (Exe)
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cffbd0a9a71d6dc4ccb63dbbfeef735b2c8bf9acdf1409f1cbdeed36ce0faf8
RedLineStealer
1116037d457d9126f16fc9529a4be482d374047f0e834614ae8292a631ed8aaa
RedLineStealer
936016b0cd8e890dc141d51d82a8b9d1a21a4bd974687eff64307a2c96ab2b5a
RedLineStealer
9a60ef135297d1863e76696b603f9de38d77b8efa1387b7ab7e89eec5c8f4f43
RedLineStealer
9f27dace8e848c5957adb0686992fe7ce392cbc7f957116b13935d20e668f91b
RedLineStealer
a5541460d296b3b3ca23cc1663882122351a08067b3ee608fabb88e38e95e515
RedLineStealer
caa8ea5f119085a9bc0f33b8f1a0ad80b6d4a9b52050f03f11bc539ebdc88534
RedLineStealer
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
RedLineStealer
e4a932eaaec97ff04b018060f31b800dbd9a56ca0ba2bbb300037be3c55ee507
RedLineStealer
e972045da5186bd0d1b384aeb756fee789855c246080dcef9bd0c0b0f2e228e1
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220426-pbgs3scde8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305
MD5 hash:
fa5def992198121d4bb5ff3bde39fdc9
SHA1 hash:
f684152c245cc708fbaf4d1c0472d783b26c5b18
Link:
https://www.unpac.me/results/a08fe72d-dfe3-4f6c-bce7-49d5fbf4f90d/
SH256 hash:
a7db9c57d4cd9639e0f8de3280c52218a699fb80a827f34a8505b37f2b7dc009
MD5 hash:
87348a57357c3655efad2ebfb48e23b5
SHA1 hash:
8972d9501c0455ad47bd577d61b3622ecf8f649b
Link:
https://www.unpac.me/results/a08fe72d-dfe3-4f6c-bce7-49d5fbf4f90d/
SH256 hash:
163b1c9e61d93a78d1b91fb8ab799201cf1121716a510dac7291b3ad39e8d587
MD5 hash:
104b381fd45ef1e425863ae5fcb46df9
SHA1 hash:
739535dd391fd109779b265b4c99f505bd6454eb
Link:
https://www.unpac.me/results/a08fe72d-dfe3-4f6c-bce7-49d5fbf4f90d/
SH256 hash:
23493567b9938ee6b0fe1f75a1761c830d14f7c19628fe57a5823d2378869a2a
MD5 hash:
962efb84a4a419e0a66cacb99ddde77a
SHA1 hash:
e360701888abf565eaec2103b8755a035bc37475
Link:
https://www.unpac.me/results/a08fe72d-dfe3-4f6c-bce7-49d5fbf4f90d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/23493567b9938ee6b0fe1f75a1761c830d14f7c19628fe57a5823d2378869a2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266787/

Comments