MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
SHA3-384 hash: 48971c4a415b9d18d4f1f00aef85fa1eb4e963813c3c56c02caf8d2baaa1f86adf0fc57655964eba1f24a71bd4d25804
SHA1 hash: 7393d742bfb5bc4d352f8c648c1af408ed88d894
MD5 hash: e588b07033b40d16b3deac16b0eac085
humanhash: bluebird-arizona-quebec-october
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:347'648 bytes
First seen:2023-10-14 14:05:59 UTC
Last seen:2023-10-14 19:35:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89b4938a013d6b8954f68c2ef1293c62 (10 x RedLineStealer, 4 x Amadey, 4 x LummaStealer)
ssdeep 6144:rgJsICnU9Q8rTXhzEURyTYGOEItAfZ39PoJ:rUsICnY6URYItGtPoJ
Threatray 1'094 similar samples on MalwareBazaar
TLSH T17B743B6AF756C633E0AE377D012B06734B799DF0CF8CBADF21A98296605CE8146C4D46
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
22
# of downloads :
318
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-14 14:06:54 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/a08c3c78-3b83-4d47-8d33-e165d280388e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454322/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12154.17666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652aa04ac51de9263e5a4d51/reports/03d50c08-5968-4483-94f0-cd28b42f21e2/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a7e6233-32f2-4428-a0fb-0d6ec1aff316
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325686
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found API chain indicative of debugger detection
Found malware configuration
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-14 14:06:05 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez53fn5vbjc3wj2thstpiw3netulljqqvlpvq4zgjeoovtg64hfq._file
Verdict:
malicious
Similar samples:
08c0d32c5801467454e923599e74fc5c10ff0db6d152d9e5f67a303203e33db4
RedLineStealer
0d2075b728700bacfa79dc4138df8e89a8d3a67221f612d2997968598b6285b3
RedLineStealer
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
RedLineStealer
6d2ec231112b3cfc9f4b22c0d21866be80d39c68ddc0358bdad12284e4783ea2
RedLineStealer
9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff
RedLineStealer
adad848bf6d7a20eb9faef8413be0071b82fc7b237c867e15e05e7d5600d23ee
RedLineStealer
da920bb04ee50d8842f01eda3e8eafde082331df010631fc8d0a2c20af911e98
RedLineStealer
e074f166319a73c358eccdc9e0478314eb51d144e72de83c602823c8f72b7093
RedLineStealer
e6e34973f51bfecb0dea2825753f1db7414549d9e794bcdf8191b1d8486ffcf9
RedLineStealer
f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3
RedLineStealer
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build285 infostealer spyware
Link:
https://tria.ge/reports/231014-redxpsha25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02
MD5 hash:
281cdc7e284b96011624acded1859799
SHA1 hash:
af8e34c4c7708547c8f2d35a13121c7a9d6fcd20
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1c4a3813-4618-4405-84b5-727c26a15c44/
Parent samples :
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SH256 hash:
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
MD5 hash:
e588b07033b40d16b3deac16b0eac085
SHA1 hash:
7393d742bfb5bc4d352f8c648c1af408ed88d894
Link:
https://www.unpac.me/results/1c4a3813-4618-4405-84b5-727c26a15c44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/267bb2b7b50a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/
Cape
Cape
https://www.capesandbox.com/analysis/454322/

Comments