MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb
SHA3-384 hash: bde6a62734238cb5ec97f0f7d6992194fa6b7cc35dc8823a1e9cac6ef12f1b07131e89b5d6e9d49d96df980371c7e72c
SHA1 hash: c34332b0e58ad9bf99d42f2bfecdd309b53d2890
MD5 hash: b3ed4a5d880de0e32a6e2a886cc03d9b
humanhash: uranus-comet-mars-nitrogen
File name:random(1).exe
Download: download sample
File size:162'304 bytes
First seen:2025-03-19 12:58:54 UTC
Last seen:2025-03-24 07:30:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:+ahKyd2n31r5GWp1icKAArDZz4N9GhbkrNEk1ftT:+ahOrp0yN90QE81
Threatray 1 similar samples on MalwareBazaar
TLSH T14EF38D0A63E420A6E4B657B598F302935A31BCB19B7482FF22C4D57E5E336C4A532B17
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JAMESWT_WT
Tags:176-113-115-7 exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
396
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random(1).exe
Verdict:
Malicious activity
Analysis date:
2025-03-19 13:05:13 UTC
Tags:
stegocampaign susp-powershell
Link:
https://app.any.run/tasks/96c994c3-bada-4389-8fde-548cdb933150

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.DownLoader.3511.26912.10172.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dac533115e7b48b48eac22
Tags:
dropper xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Launching a file downloaded from the Internet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB cmd explorer installer lolbin microsoft_visual_cc obfuscated packed powershell rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67dabfa30a7899f3579df3df/reports/5a10293c-a9a7-407b-8add-99088a788bf8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7e1ed67e-5acb-4f62-af24-f207493a55dc
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643066
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643066 Sample: random(1).exe Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 36 bitbucket.org 2->36 38 15.164.165.52.in-addr.arpa 2->38 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Powershell download and execute 2->48 50 7 other signatures 2->50 10 random(1).exe 1 3 2->10         started        13 svchost.exe 1 1 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 dnsIp5 34 C:\Users\user\AppData\...\67da233bc0788.vbs, ASCII 10->34 dropped 18 cmd.exe 3 2 10->18         started        42 127.0.0.1 unknown unknown 13->42 file6 process7 process8 20 wscript.exe 1 18->20         started        23 conhost.exe 18->23         started        signatures9 52 Suspicious powershell command line found 20->52 54 Wscript starts Powershell (via cmd or directly) 20->54 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->56 58 Suspicious execution chain found 20->58 25 powershell.exe 7 20->25         started        process10 signatures11 60 Suspicious powershell command line found 25->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 25->62 28 powershell.exe 14 25 25->28         started        32 conhost.exe 25->32         started        process12 dnsIp13 40 bitbucket.org 185.166.143.48, 443, 49683 AMAZON-02US Germany 28->40 64 Loading BitLocker PowerShell Module 28->64 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 08:28:19 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etv32xegexsidhvk7mxxguf6kzomcbepz346wtvineq7eynyrxnq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
752a796fd794a3de6d88a8da68c09c6262b91eae6ad4a3fe805022037b957c83
error
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/250319-p74ygszrs6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/34605a31-7791-4649-9d0d-9de266b463b9
Unpacked files
SH256 hash:
24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb
MD5 hash:
b3ed4a5d880de0e32a6e2a886cc03d9b
SHA1 hash:
c34332b0e58ad9bf99d42f2bfecdd309b53d2890
Link:
https://www.unpac.me/results/b8b93d32-19c3-4b55-ae16-cedbabe04e51/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24ebbd5c8625/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3482315/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3482316/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments