MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913
SHA3-384 hash:	35db291596de812da5fae0d373e200329b9e1e6e0fab2bf7a27ead24b61e2a12984b837c9dfb7705e128058423e12712
SHA1 hash:	a72401d072e5217bc9cf61b34e05565099cdc891
MD5 hash:	817a98d559b90313ce8d0b2cf59cf741
humanhash:	fish-double-september-table
File name:	28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	442'792 bytes
First seen:	2022-10-11 10:35:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c4c7b1618d255225412ba726d1a13551 (7 x Stop, 6 x GCleaner, 4 x RedLineStealer)
ssdeep	6144:VmLFamMur+hnhysM/rxXB4BhgP3kg0bLw1g7gui6XveY7T0a7zb2igavwVfId:VmP6hnhysMt8sCLwK7+Kvoa7z/R
Threatray	9'383 similar samples on MalwareBazaar
TLSH	T17994F01236E1C472D1A60E705425CBE16B7FB8726AB0545BF750675F2EB33C1AAB230B
TrID	39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	8572e6eceedcd801 (1 x RedLineStealer)
Reporter	adrian__luca
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913

Verdict:

No threats detected

Analysis date:

2022-10-11 10:36:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6e52853-1be1-46bb-9208-a4162385ead9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318909/

Detection(s):

Win.Packed.Tofsee-9951336-0

Win.Packed.Zard-9972749-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42483/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit overlay packed raccoon tofsee

Link:

https://www.filescan.io/uploads/63454713aab5b3e31a6a7dc6/reports/2c2c606e-6ca5-4333-a787-bd17a5e8a258/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf758f1c-af0a-41f5-b299-8b06a1485fb3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1087898

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-09-29 15:01:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 25 (96.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fdwdhppezc7z7ehkg3xghtyqfo7tlcwzou2n5bzk7hyob6oyfejq._file

Verdict:

malicious

RedLineStealer

71ad8e2f6ff0c8f2b7e7f5023525f3e4a89718a2795c2e6a0638996027f4e6fa

RedLineStealer

73c74b2ef21ecbf6ca03828e20c3f6e813e21a8b4c6ba226e917f29e1966cab1

RedLineStealer

75455047a5b028aca52489f56fed0a0efa4a7956daeb326ad77e3bc043ecb589

RedLineStealer

7ff74ea26b63223cb00260ebb4a45de95f4af7cb7b4eab488255f4bcaea33b77

RedLineStealer

87fb7e71af72e85768140a74401b51f4c494baab90bcae67567caab048a9fe4c

RedLineStealer

9b5c0f8c034ac7cfd86eca7e3d07a577dc083ba98904012b197b8649875268d5

RedLineStealer

feeccb5f64d6bbbd91ff0d04dea1a02b787475084e28e8a96b1fae403861e601

RedLineStealer

+ 9'373 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:20220916 infostealer

Link:

https://tria.ge/reports/221011-mm8ptsaegj/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.188.21.37:16640

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e42c7d44-39b4-4302-8b0d-77b92f6a34b8

Unpacked files

SH256 hash:

0f6ced89a08ee0369db76bb528666c37c1045d2f43cb0b61cc9772edaea74fb2

MD5 hash:

4e63ee12ec257298370e31808b538ed8

SHA1 hash:

59c159838633d41ce264aafffaa1ff755a71f1e5

Link:

https://www.unpac.me/results/beb7b9f3-fdfe-4422-8c24-17ea811ba76c/

SH256 hash:

11d2c4960d1ed0ad10eabecbed0d61de99127b1f62668e664c0c282467c294e5

MD5 hash:

eecf638c8ebb3745e95b6011d8b2cf7f

SHA1 hash:

4e973821adc26d9c1de7094ec2e4ccdfae9ad6b3

Detections:

redline

Link:

https://www.unpac.me/results/beb7b9f3-fdfe-4422-8c24-17ea811ba76c/

Parent samples :

ec15d31bf11d68867c2f3a2dec4b6de9a15be7e15d9be18ce330e439b1e9aab2
8687cbc1af069ebeaa71e1d86f3c0aff3460964a5d8d216dc3971451130ecc31
e88cd6654c2c72eab768d685cc628062bd6c57f9d93c3b95732be71d8f139507
0722db7a5b0b2d0f1c8d95037e4389856c2c90613bc34b5f4ffa797949d50491
44805dcb3765b8cd912d4f24fda37793295bcedaccdc0c573154d9af85818f6f
a84e7b901fb3bdfb4747e1b2f62dc9250629511d8c49452a5e55e000cf59b153
b09b6d033324032177cb99cd3ae247a3abc7740bd81d2ed6fd2e38a219cb58e3
273edab824d0747c92a3b989af59bc5c4ae7555c29e9c47c20af1ffbef81035e
bfa24f6f3f7f02b4939b00009a9e4c3e2e44aa84d1d14f7c2d34d2e9441d2edf
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913

SH256 hash:

4113efb7b6643fe15d616e48dc233ba002a2feb9f88d6e413d111c7ae875df72

MD5 hash:

1e5a040d59a7407064950f78166a25b3

SHA1 hash:

227b2e0df01eb3887e3f7c047666d14ff621a10c

Detections:

redline

Link:

https://www.unpac.me/results/beb7b9f3-fdfe-4422-8c24-17ea811ba76c/

Parent samples :

8687cbc1af069ebeaa71e1d86f3c0aff3460964a5d8d216dc3971451130ecc31
a84e7b901fb3bdfb4747e1b2f62dc9250629511d8c49452a5e55e000cf59b153
273edab824d0747c92a3b989af59bc5c4ae7555c29e9c47c20af1ffbef81035e
bfa24f6f3f7f02b4939b00009a9e4c3e2e44aa84d1d14f7c2d34d2e9441d2edf
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913

SH256 hash:

28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913

MD5 hash:

817a98d559b90313ce8d0b2cf59cf741

SHA1 hash:

a72401d072e5217bc9cf61b34e05565099cdc891

Link:

https://www.unpac.me/results/beb7b9f3-fdfe-4422-8c24-17ea811ba76c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/28ec33bde4c8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318909/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample