MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23ef9cfcefbde3e247b59abc75eab27cc430c2773298b0d1abd6928465f93c26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23ef9cfcefbde3e247b59abc75eab27cc430c2773298b0d1abd6928465f93c26
SHA3-384 hash: 360ba36f4ef169ceb219432789c97904fee371094009b664f467eeec168ae8c14a3474d35dbcf2d1025d452c45eb23da
SHA1 hash: 6b585423cada9fd4d98967c617d3119f0fef6770
MD5 hash: dab35114264bd28a58abeeea3d62415b
humanhash: zulu-maryland-mike-victor
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:304'640 bytes
First seen:2022-11-20 18:48:18 UTC
Last seen:2022-11-20 20:38:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36b641a29d896f854254088d7a23d111 (2 x RedLineStealer)
ssdeep 6144:415LfA/VFryOAuiiTJ/+kSVE948LIrHLVFE/No5Nd3TL:411otFrhiu/krHpFEq5NV
Threatray 1'506 similar samples on MalwareBazaar
TLSH T1D0548D366192873EE8ABE8764EFDC2B0733D61347FB810976B8C466D4521DEDA23411E
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-20 18:50:15 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4299aed3-2f65-4ffb-b3bd-e776132aa5c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336447/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.9683.20318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/637a76a0903ba0eaf36cba72/reports/f3266709-434b-40a0-a3a2-5b66276710b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18d23d4c-312b-4140-8528-371165a10f80
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117651
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23ef9cfcefbde3e247b59abc75eab27cc430c2773298b0d1abd6928465f93c26/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 15:17:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 39 (43.59%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=epxzz7hpxxr6er5vtk6hl2vsptcdbqtxgkmlbunl22jiizpzhqta._file
Verdict:
malicious
Similar samples:
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
RedLineStealer
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
RedLineStealer
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
RedLineStealer
d1044c3ddb7c69269654bdf6c25b0a3640b2a1be2caed5637b81b96ebdf04497
RedLineStealer
d92db9c78fa87d6a9daf30ba9abc7056480f541d7a6b0b17a9f100109df8e6c9
RedLineStealer
df8082a0727341606afda10b167324b33efd4b4f98f468f53d74b3588257c754
RedLineStealer
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5
RedLineStealer
+ 1'496 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:easy1120 infostealer spyware
Link:
https://tria.ge/reports/221120-xgbs1sag95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
chardhesha.xyz:81
jalocliche.xyz:81
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0acb0751-067c-4c30-8c1a-9b5b5166b11f
Unpacked files
SH256 hash:
13d02a7d013f629c8854a01f30925e5ae6c3a3bc66dade822e105ccd284752c0
MD5 hash:
df8687c04e19f6a603a6cd4e2f1d1d2d
SHA1 hash:
07251b60ac5dfd2159a5ea23264ca4493d96ae3d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ff365e64-c18a-4720-94b1-589d5ae866b7/
SH256 hash:
23ef9cfcefbde3e247b59abc75eab27cc430c2773298b0d1abd6928465f93c26
MD5 hash:
dab35114264bd28a58abeeea3d62415b
SHA1 hash:
6b585423cada9fd4d98967c617d3119f0fef6770
Link:
https://www.unpac.me/results/ff365e64-c18a-4720-94b1-589d5ae866b7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 23ef9cfcefbde3e247b59abc75eab27cc430c2773298b0d1abd6928465f93c26

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2412583/
Cape
Cape
https://www.capesandbox.com/analysis/336447/

Comments