MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a
SHA3-384 hash: 8f4a41cbe1697dd6608a9c68856a356f0f3bcd976bac8b7ac015e6bd7088db3ecf040f9690e185ed22e6af36ce7cd136
SHA1 hash: eda602d0a983be1876f2674c54afe131ed324997
MD5 hash: d0eac32a2c25006d0353892f72fa5877
humanhash: diet-white-carbon-lactose
File name:d0eac32a2c25006d0353892f72fa5877
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:256'788 bytes
First seen:2023-06-26 20:51:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3a98f4b8bad628ffa25a9afc0275971 (18 x RedLineStealer, 12 x Amadey)
ssdeep 3072:J7JhwEpgyfkn6Y/wHKW/Gl2VfXu58w4S1lwNirkqNKHnJiIJHpCusBjnAuU06BAm:XhwETk6r/ECXY8w4SkN4eipLAIZjI
Threatray 596 similar samples on MalwareBazaar
TLSH T1F1443A29B2C0FB6BEA167B7235AFC59D81D72B3147269942BC14FE651A0C0D4BB2C47C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d0eac32a2c25006d0353892f72fa5877
Verdict:
Malicious activity
Analysis date:
2023-06-26 20:53:20 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/df5a11ee-c447-4f19-85de-6bf1b9d13afc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403062/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.183613.4534.8548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92783/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6499fa734f1a66d0e6d85e00/reports/a37d85e0-49e3-4120-932a-8b1283cbdf67/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/564bf4af-2b4b-4b3b-b8fa-c477c65443d2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261712
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 20:52:06 UTC
File Type:
PE (Exe)
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmygme4x4xzn3sszsoqhkvb5jaokzfcpvsmaussj52j7kaudnzna._file
Verdict:
malicious
Similar samples:
2e84eaf7bb4ffd6916ad23f53e320ee1584cc3c60dcbaeed2acdcca05801ae38
RedLineStealer
4383ffe24e922f1a8b8290dba9faf02d52b17bdccefaa8f69c19db76bb537626
RedLineStealer
4549151241d618ee565a7a3d36a9f0c7b413772f8c2c509b3b41b3b51912ed10
RedLineStealer
66f882759c84ecbe2d523b5c997d354010f3a757a648dffbd9a2afb0a4bf1bbe
RedLineStealer
6de168d940cec462cc2cdead5a06a3b77a533558deb22bb4c0138ccb20f85f51
RedLineStealer
89c1c23cde78ea40c3756301a8612949e23b86584ed5fa2f49ac2589b61bca15
RedLineStealer
a506164efe62709bde219f076979078ffd7c73f0755afe8349906861040b4899
RedLineStealer
a67e1a296014ab986232d32f1836f815576f04ede2781b6c42f89098fb1c0368
RedLineStealer
b96d28c0c43a8bc8c124dfbd69b03e2ea83c698024a7bd4e3770a2465e425c44
RedLineStealer
f08dbd5c068e1566324891efec0237d6b26489dee9ab030bd4e324d7a720a504
RedLineStealer
+ 586 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:smoke discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230626-znp1bscg5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
83.97.73.131:19071
Unpacked files
SH256 hash:
26c382900cac0e7c45846f55377caf24596e148b5628f65453f3b99ea794d803
MD5 hash:
f08d7cb884a91db63e5c7714bfdbe261
SHA1 hash:
2bc8cc8015786400a4fdb3cf7ba6c5e71a493acc
Detections:
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/22af9976-8d53-4ec7-8ca5-57896a1cf865/
Parent samples :
0cbee59f9e035659029cc87768c25903a603582a0d247460dcbbf6bf497311c4
f08dbd5c068e1566324891efec0237d6b26489dee9ab030bd4e324d7a720a504
e7f393b15453061a5985bb104112fc942a9a8988b808481ab598353fb6c4e648
4059bcb9d4e8af4b9ff05142ea89eff281b2797355071c64bb3a7d670ca056f3
01aa99c5ba4a800a458d981aa3c4b6073824291ae788ea3dfeef2d41eb89964f
2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a
34109fa97f85cd1f1138bcb0d2cb7b75c585858fae6849df3a7e577e8f38f09b
5431eb87b9ad7b89f4e967b42d40eb5d3ca92a13a27a0adb01949c301f28f47c
6fec8d77291bcd9bacfa3b5dc98c54f1bd2865e832a01e53268bb3a16424ef05
2c87d0a12ae4f136fa4bc4a7e78c33aa0fadfa4f54873a814dafcaff4e5f3ff1
4be6cfbccca9dcab0af1d1dad51f9d5e76274e3cc31f034198166b5c0edda751
453ef51c0af6f148746bb721095ef0ae875d07d077c8fc9c97dac993ba9f8ae0
c02bcd0a9954efc757843ed7cb05da07385ead554d57e140e712095fb6984361
c475ad88a8be90ba3e04a8918cc1a9380252e0781744e5c6412751dda1adc032
01df357140cab08154d7288fc1cde4829aee66ec02bcce8985506bf63961e024
d9d9c314c029b02087cd28124df3253c533532f122b3ede2f0a1d1a9a267425e
63ffebbe4a88dfcc781e6d38de5cbffc7fc8f938f9f230352f4f31a6c6eee1c4
8bb15fa045c03ba626b91f478aa0b7837f39a9aa038033ef91f0908b02e3907a
7e014c48883a5e5d1b2ec8ed24fc04fb7c1f15406ebc80ba5acea7ab263ecff3
4eefe15812a6806769912c731f734edab166fbfa94b9734551ce04e47dac5acf
0607901ab40d19311dd4db0ef9200597bb5523be82ac72c1ce0a6cef7484dd5a
5be6593f4824f92d9609894ca4b13bad83039b0ca6d56f20f44c45f2eb9c5ec5
bbd00039d177e33d3a4346167533dfa08644f03537327d13a8be851be3eb6e9f
074269c39cb4bdaf98e922f4581808ea49eb164822afd6fed695b1dd240648e2
b8e7d04229a437d1aabf41445a2e44d2908f46b0fda3041879e2d7b2c4e776c4
2aeab80d235649c691822260dc94d1cfa804881cf788206f7ba66e5f7de2eebc
SH256 hash:
54da1dcfe24d1f9b7febd239cbd6878b09894db8a7795743facaaf9781f7380e
MD5 hash:
43a74199377104f840b9ab4fc4975ac2
SHA1 hash:
23806db6379a9e1df42877ea44c86527c884c1fe
Link:
https://www.unpac.me/results/22af9976-8d53-4ec7-8ca5-57896a1cf865/
SH256 hash:
26c382900cac0e7c45846f55377caf24596e148b5628f65453f3b99ea794d803
MD5 hash:
f08d7cb884a91db63e5c7714bfdbe261
SHA1 hash:
2bc8cc8015786400a4fdb3cf7ba6c5e71a493acc
Detections:
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/22af9976-8d53-4ec7-8ca5-57896a1cf865/
Parent samples :
0cbee59f9e035659029cc87768c25903a603582a0d247460dcbbf6bf497311c4
f08dbd5c068e1566324891efec0237d6b26489dee9ab030bd4e324d7a720a504
e7f393b15453061a5985bb104112fc942a9a8988b808481ab598353fb6c4e648
4059bcb9d4e8af4b9ff05142ea89eff281b2797355071c64bb3a7d670ca056f3
01aa99c5ba4a800a458d981aa3c4b6073824291ae788ea3dfeef2d41eb89964f
2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a
34109fa97f85cd1f1138bcb0d2cb7b75c585858fae6849df3a7e577e8f38f09b
5431eb87b9ad7b89f4e967b42d40eb5d3ca92a13a27a0adb01949c301f28f47c
6fec8d77291bcd9bacfa3b5dc98c54f1bd2865e832a01e53268bb3a16424ef05
2c87d0a12ae4f136fa4bc4a7e78c33aa0fadfa4f54873a814dafcaff4e5f3ff1
4be6cfbccca9dcab0af1d1dad51f9d5e76274e3cc31f034198166b5c0edda751
453ef51c0af6f148746bb721095ef0ae875d07d077c8fc9c97dac993ba9f8ae0
c02bcd0a9954efc757843ed7cb05da07385ead554d57e140e712095fb6984361
c475ad88a8be90ba3e04a8918cc1a9380252e0781744e5c6412751dda1adc032
01df357140cab08154d7288fc1cde4829aee66ec02bcce8985506bf63961e024
d9d9c314c029b02087cd28124df3253c533532f122b3ede2f0a1d1a9a267425e
63ffebbe4a88dfcc781e6d38de5cbffc7fc8f938f9f230352f4f31a6c6eee1c4
8bb15fa045c03ba626b91f478aa0b7837f39a9aa038033ef91f0908b02e3907a
7e014c48883a5e5d1b2ec8ed24fc04fb7c1f15406ebc80ba5acea7ab263ecff3
4eefe15812a6806769912c731f734edab166fbfa94b9734551ce04e47dac5acf
0607901ab40d19311dd4db0ef9200597bb5523be82ac72c1ce0a6cef7484dd5a
5be6593f4824f92d9609894ca4b13bad83039b0ca6d56f20f44c45f2eb9c5ec5
bbd00039d177e33d3a4346167533dfa08644f03537327d13a8be851be3eb6e9f
074269c39cb4bdaf98e922f4581808ea49eb164822afd6fed695b1dd240648e2
b8e7d04229a437d1aabf41445a2e44d2908f46b0fda3041879e2d7b2c4e776c4
2aeab80d235649c691822260dc94d1cfa804881cf788206f7ba66e5f7de2eebc
SH256 hash:
54da1dcfe24d1f9b7febd239cbd6878b09894db8a7795743facaaf9781f7380e
MD5 hash:
43a74199377104f840b9ab4fc4975ac2
SHA1 hash:
23806db6379a9e1df42877ea44c86527c884c1fe
Link:
https://www.unpac.me/results/22af9976-8d53-4ec7-8ca5-57896a1cf865/
SH256 hash:
2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a
MD5 hash:
d0eac32a2c25006d0353892f72fa5877
SHA1 hash:
eda602d0a983be1876f2674c54afe131ed324997
Link:
https://www.unpac.me/results/22af9976-8d53-4ec7-8ca5-57896a1cf865/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b30661397e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2b30661397e5f2ddca5993a075543d481cac944fac980a4a49ee93f502836e5a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/403062/

Comments


Avatar
zbet commented on 2023-06-26 20:51:14 UTC

url : hxxp://77.91.68.16:3350/metro.exe