MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23db5a11dc6193a946e447bc1b53252b81609b92a0621ac9bea466bd75496862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23db5a11dc6193a946e447bc1b53252b81609b92a0621ac9bea466bd75496862
SHA3-384 hash: 5385ffea640a1dbb0ffa0d64e6748a77e113d7dce9f37a0808ec81a8f44588d8addded52b9c74b9a0da98d346b548e4e
SHA1 hash: 098d85228cb65ce13ab61a4ff52031bf32fcbf73
MD5 hash: fba1593c19336b211c2aba63a39bd0b3
humanhash: don-carbon-wolfram-winter
File name:INSTALLER.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:483'328 bytes
First seen:2022-03-02 12:09:31 UTC
Last seen:2022-03-02 14:00:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 12288:CIY5/47Inn1cr1rYULK/lGRgOUqmq9kR6lhKXLB3a9FsqJKB57d8fSk:CIYWenyhUULK/cRgOnmq9g6qB36rKX6/
Threatray 1'480 similar samples on MalwareBazaar
TLSH T1AFA423142406E189E0EC57F3EA2DFD97DA67321754C04EE29FCC3989387C938BA5029E
Reporter CholeVallabh
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246288/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/621f5ea30cd58dbd92626ea9/reports/d205c021-8874-4b2b-86cc-c6e2640a1a2b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5af8f42a-cc74-4aa3-a25e-b0b7a9b0fcd2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949088
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23db5a11dc6193a946e447bc1b53252b81609b92a0621ac9bea466bd75496862/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 12:10:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epnvueo4mgj2srxei66bwuzffoawbg4subrbvsn6urtl25kjnbra._file
Verdict:
malicious
Similar samples:
0713ce27fefb110cda3075fae74229170582c19758c2ecb7f85e0c0b8c694e0c
RedLineStealer
09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
RedLineStealer
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
RedLineStealer
72660328d491a37b99ae219252eccab4dfd568329fbb72e512167b239ba2c190
RedLineStealer
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
RedLineStealer
ddfd59739281a6a3312661a1da66a6ca9a7007ce4c00675220a5c5b1b6f95a3f
RedLineStealer
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
RedLineStealer
+ 1'470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220302-pb32bagefm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
d179b165280809baf7c4c6b324e2cc399abc89fdaf48a4df60a94f9a6a094183
MD5 hash:
3b51afa39dec16c3643106123f0f1033
SHA1 hash:
e629b275baa9480474b651661905c8cb940577ec
Link:
https://www.unpac.me/results/8d6293e9-6900-4030-94c8-11fa49f12f9d/
SH256 hash:
a99c67fd7a11d1eb270d4d4dcc95617e07f33cf0f4e5e9875dc00e05aaaded9c
MD5 hash:
fe2b20002c762004861b34f5196087c6
SHA1 hash:
401659c9b061d0fbc576077e019c468a606bb15f
Link:
https://www.unpac.me/results/8d6293e9-6900-4030-94c8-11fa49f12f9d/
SH256 hash:
23db5a11dc6193a946e447bc1b53252b81609b92a0621ac9bea466bd75496862
MD5 hash:
fba1593c19336b211c2aba63a39bd0b3
SHA1 hash:
098d85228cb65ce13ab61a4ff52031bf32fcbf73
Link:
https://www.unpac.me/results/8d6293e9-6900-4030-94c8-11fa49f12f9d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/23db5a11dc61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/23db5a11dc6193a946e447bc1b53252b81609b92a0621ac9bea466bd75496862

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246288/

Comments