MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86
SHA3-384 hash: 6dae345fb87fc87da4c7162cf3124d0398afe945d44737ab4a3d4339de2374cfa4e3daa5898ab5011f6f0028402098ce
SHA1 hash: dd175d7c6581998f71b01c15ed96be1cab74025c
MD5 hash: bb298a0832ed5dd6965d36d9ebe5ec5d
humanhash: don-september-cup-crazy
File name:decoded-20221225154900.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'997'313 bytes
First seen:2022-12-25 15:50:39 UTC
Last seen:2022-12-25 17:36:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:cLM/u06MpzeRsEsPvOamb/rXyPP7RBFM5gJsJECRgH+b:M0ncsEQvtAbeP7ajECRgc
Threatray 4'061 similar samples on MalwareBazaar
TLSH T1BF95E0E6438BC4BDC095D4F8E5C623A5BD320FA4DE6E9CD11FC8ED9F04B8161B829199
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 60e49a92bca4f43c (1 x RedLineStealer)
Reporter Anonymous
Tags:anydeskh.com exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
decoded-20221225154900.exe
Verdict:
Malicious activity
Analysis date:
2022-12-25 15:54:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e45be8d3-01a8-46d8-b979-4472a6fe7d1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25546.24048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63a87167629a35af1ab3eae3/reports/8757366b-4428-413f-9a8a-3d88dddb9f1b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b6bc39e-ea6e-4228-bc9c-5b857ac9e356
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140871
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 15:51:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqlo56kwwopguv7rac2lfu3i3ihe3benscjeykxqnccfzhdjd2da._file
Verdict:
malicious
Similar samples:
13c05afb9af5a3e3719183b53a4d42fb094f9ccfe7cf89c82315fcf8ea93974f
RedLineStealer
21a228b3a2fdd55d2fdb6ae9fa4d85a63a0635649ef5889c6a2fb6b9a1b8403e
RedLineStealer
2271dd64f293714d67e83203208ad1a9bfaa4ac31dd9c0b252645b0a3d3bfb94
RedLineStealer
3b24ec5793d1bab1702f0c857e91dc83957fff276b9e28060898b9ee9d731617
RedLineStealer
4286a8f42fee95ed8118364726e1951a444c9a2a499221d0d0638f780a8d831f
RedLineStealer
60758b6b4ebbaa83e0db9c18686dd093961be3c87a30b14cc924ac0aa0f5c71c
RedLineStealer
701f68aa98d570229fd0009b583ab60bb0360e802477777281ee71dbb6e93bbe
RedLineStealer
af866cc249dd0bd2f0fc7cf644fbedbb88e887269d9cdab7f4190b08d0cae06e
RedLineStealer
c98bf80d5e23903e4934015e75f6c036130296519548b6014575207d2d296201
RedLineStealer
eb753a672a27151de8865bcc26f5f8d736b3bb1b49fd895f065f7c900221ef84
RedLineStealer
+ 4'051 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ads discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-tagh5sbf95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
34.125.68.133:80
34.141.168.40:80
Unpacked files
SH256 hash:
64c2bd25e505b5d8e52ed91555c0edb95f2a32ca1fadff1dce8c22ab80e46af1
MD5 hash:
3f45f54f076055ebf8f1518f37729a30
SHA1 hash:
dbe0903c8fc8e2eddf5ce86674b6b6e5e6db32fc
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0c7c54b9-c69a-43ac-8fb2-1e7d792d5236/
SH256 hash:
b28f7cc75ecb62dd831b8f1ee54bbf31f312d6807fd461882f9b6cca3706c9ff
MD5 hash:
2a9820cd046999562a55e9fd91b81673
SHA1 hash:
3df2102abb5dc3e2c897cb0af65bd8cfd316699c
Link:
https://www.unpac.me/results/0c7c54b9-c69a-43ac-8fb2-1e7d792d5236/
SH256 hash:
ec3c934cbf8ab4d739fd5ff3bc968ea20ac0cd54e1eb564a2cd87678a1194ef6
MD5 hash:
0b529a12d9f657d7c63ebcedb98b3761
SHA1 hash:
37050a931c624eba25264b00b032b8f00ec4c19d
Link:
https://www.unpac.me/results/0c7c54b9-c69a-43ac-8fb2-1e7d792d5236/
SH256 hash:
2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86
MD5 hash:
bb298a0832ed5dd6965d36d9ebe5ec5d
SHA1 hash:
dd175d7c6581998f71b01c15ed96be1cab74025c
Link:
https://www.unpac.me/results/0c7c54b9-c69a-43ac-8fb2-1e7d792d5236/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2416eef956b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments