MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
SHA3-384 hash: d5bec2a7094880709c574b8375cf5e2cc9415288bf46bbf8a6986c2139c1c8211a1aba58e112093e5e0c5ebc5cdbc965
SHA1 hash: 7fff101ead810f08b7a2c3b03052a0808d5c4e25
MD5 hash: ef15fb5c6efe17814d15546267f338a6
humanhash: bulldog-leopard-golf-friend
File name:2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:444'592 bytes
First seen:2022-10-11 10:21:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a1dd2daf6fcaa8405a3968231f4dd38 (6 x GCleaner, 5 x Stop, 4 x Smoke Loader)
ssdeep 12288:0GL6Et02LFuYdi5GEuhD1IUF2yFGxTRf:0E6E5uYMoEkD1IUUyATR
Threatray 8'851 similar samples on MalwareBazaar
TLSH T1F394F11535A2D471D1A20E308869DBB16B7BBC32A474944FB764975F2EB33D09EB230B
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 4038f4ecececd900 (1 x RedLineStealer)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
Verdict:
No threats detected
Analysis date:
2022-10-11 10:20:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed4c7d64-7ee2-4761-b53b-dc0f6f597ced

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318900/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Win.Packed.Zard-9972749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42481/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6345440c0d2bcf0ff9a237be/reports/28a170ef-6e53-4cb3-9cbd-854a1aa962fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ff66cd2-a8d1-4b77-88bd-6456697b9563
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1087894
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 15:07:47 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
24 of 26 (92.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgj6s3toi377dulpd2nhovut6a3guqwahrwoipymurwuitfpeqla._file
Verdict:
malicious
Similar samples:
0bd03bf5df93a6043c8b510a852711c5a94e2b37cecad3243cd3b8b0e41c4da5
RedLineStealer
2d8f66488f1afba415472d8d34a2bd4c0ca7a93718c2245250cf295e764314d7
RedLineStealer
35be65280e65cc6b44fb20b468cca606d518aad0cb448127df637e75231d86ec
RedLineStealer
383086b2fc32ea35b9d39e7f511a256707950745fbb1029826a2ef3d8c2fceba
RedLineStealer
7193d4278554893e271bad4b43616676876e69141762fe1dd8bca07a02f4796e
RedLineStealer
85f755c8af053f1629d9148be4e10958bdead2da1ad516ce17fc3388ff360853
RedLineStealer
9d9c65f52f4284b3ac29a884d0bc6fc780f8a520c02cde84031f7d15b277577c
RedLineStealer
9fba951551d3a3fcd985c7d4927f8df2f827474ab1027b17272e619e733ad857
RedLineStealer
e3eaa8bc57c967d68a7d5c37c2ff6b1155e67390042c104af1c30c3b35146b28
RedLineStealer
e5180878448b956a3d4a0c2683ab08925eba132086afb4e16f166f867b3fa063
RedLineStealer
+ 8'841 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:20220916 infostealer
Link:
https://tria.ge/reports/221011-md8ngahhf4/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.188.21.37:16640
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5927aadf-136e-4e6b-a733-ada36c137e74
Unpacked files
SH256 hash:
0f6ced89a08ee0369db76bb528666c37c1045d2f43cb0b61cc9772edaea74fb2
MD5 hash:
4e63ee12ec257298370e31808b538ed8
SHA1 hash:
59c159838633d41ce264aafffaa1ff755a71f1e5
Link:
https://www.unpac.me/results/21358c56-6642-4831-b605-84c153136e4a/
SH256 hash:
11d2c4960d1ed0ad10eabecbed0d61de99127b1f62668e664c0c282467c294e5
MD5 hash:
eecf638c8ebb3745e95b6011d8b2cf7f
SHA1 hash:
4e973821adc26d9c1de7094ec2e4ccdfae9ad6b3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/21358c56-6642-4831-b605-84c153136e4a/
Parent samples :
ec15d31bf11d68867c2f3a2dec4b6de9a15be7e15d9be18ce330e439b1e9aab2
8687cbc1af069ebeaa71e1d86f3c0aff3460964a5d8d216dc3971451130ecc31
e88cd6654c2c72eab768d685cc628062bd6c57f9d93c3b95732be71d8f139507
0722db7a5b0b2d0f1c8d95037e4389856c2c90613bc34b5f4ffa797949d50491
44805dcb3765b8cd912d4f24fda37793295bcedaccdc0c573154d9af85818f6f
a84e7b901fb3bdfb4747e1b2f62dc9250629511d8c49452a5e55e000cf59b153
b09b6d033324032177cb99cd3ae247a3abc7740bd81d2ed6fd2e38a219cb58e3
273edab824d0747c92a3b989af59bc5c4ae7555c29e9c47c20af1ffbef81035e
bfa24f6f3f7f02b4939b00009a9e4c3e2e44aa84d1d14f7c2d34d2e9441d2edf
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913
SH256 hash:
4113efb7b6643fe15d616e48dc233ba002a2feb9f88d6e413d111c7ae875df72
MD5 hash:
1e5a040d59a7407064950f78166a25b3
SHA1 hash:
227b2e0df01eb3887e3f7c047666d14ff621a10c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/21358c56-6642-4831-b605-84c153136e4a/
Parent samples :
8687cbc1af069ebeaa71e1d86f3c0aff3460964a5d8d216dc3971451130ecc31
a84e7b901fb3bdfb4747e1b2f62dc9250629511d8c49452a5e55e000cf59b153
273edab824d0747c92a3b989af59bc5c4ae7555c29e9c47c20af1ffbef81035e
bfa24f6f3f7f02b4939b00009a9e4c3e2e44aa84d1d14f7c2d34d2e9441d2edf
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
28ec33bde4c8bf9f90ea36ee63cf102bbf358ad97534de872af9f0e0f9d82913
SH256 hash:
2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416
MD5 hash:
ef15fb5c6efe17814d15546267f338a6
SHA1 hash:
7fff101ead810f08b7a2c3b03052a0808d5c4e25
Link:
https://www.unpac.me/results/21358c56-6642-4831-b605-84c153136e4a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2993e96e6e46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2993e96e6e46fff1d16f1e9a775693f0366a42c03c6ce43f0ca46d444caf2416

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318900/

Comments