MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb
SHA3-384 hash:	a38a92f7b14e5388f0ed66505bb1f5bb30760191375b54ea08124c14ac4ad55d5ffa94a424f22b5b81a48ec5c5991253
SHA1 hash:	b29c94beaa4e9cc4ffdfc043efea4ff48dc9c9e1
MD5 hash:	a4f1ea0d81b48d1328bccaa3dc7d2b19
humanhash:	jersey-spring-pip-stairway
File name:	a4f1ea0d81b48d1328bccaa3dc7d2b19.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	144'452 bytes
First seen:	2023-12-24 04:50:09 UTC
Last seen:	2023-12-24 06:17:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fc9cc01cf478a61caa8ec04b5a363615 (2 x RedLineStealer)
ssdeep	1536:/suK9aXaNmrSLk8uDbb/+tfR+PSh0ybMqvbIteQNTfkAkox+eM81fIkGl35Fyclo:UTFYDf+F0ybMqTeb5fpk6+lYIZ7GVyU
TLSH	T1E1E38D1B1CB38265EFB204B42ECB94F38C86C3460651493336C6322BFB6D5BA356566F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.103.188.192:443

Intelligence

File Origin

# of uploads :

# of downloads :

377

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469167/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.3792.24453.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

stealer

Link:

https://www.filescan.io/uploads/6587b8b7eabaed070172a9b3/reports/eda610da-0442-42e0-a469-7a09c6f7634e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46f440c7-5f3a-4581-a7a9-87faf47c5403

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1366600

Signature

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-12-21 08:19:39 UTC

File Type:

PE (Exe)

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ff7d2br3iyahqmeklsclxbvrhsn3q6fepubei2ykd3gclnuq4pvq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5637482599 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/231224-fgtkdsaea8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

8303b8983ed5f1ad8a53d4629c02cebd9c067d1976712c03d80cc4e3846f42ce

MD5 hash:

ee36084695d41b2a997306c3ff332083

SHA1 hash:

2e828257dc559fffea51d7c51a07140ce80aa644

Detections:

redline

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/06f57e61-63a9-45ab-96fe-823f00a4b367/

Parent samples :

1155b82749364016f6a7232f58f169029706bf61da9e19d97b015eca502e3396
aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b
3ff4f96ffdfc8fc6a6fc58a959d682bc9c1a8f631871217e924d84073c7fe876
10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d
3467893f47bdbaa0fb58975fdce620c2591a2064703f56fab29313afa3fe9cff
297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

SH256 hash:

297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

MD5 hash:

a4f1ea0d81b48d1328bccaa3dc7d2b19

SHA1 hash:

b29c94beaa4e9cc4ffdfc043efea4ff48dc9c9e1

Link:

https://www.unpac.me/results/06f57e61-63a9-45ab-96fe-823f00a4b367/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/297e3d063b46/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/469167/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample