MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56
SHA3-384 hash: 3697821f47d0a6fac1a1f709661294be9e892b1ee021710aa2907a589feb80e30a098de6e630e13e50f18abe39f1d0ff
SHA1 hash: 420ea0835999e3ee855dbe9082e0adacc2c71a70
MD5 hash: 546f051f252a9c7fb58879a60216b5e4
humanhash: tennessee-fish-london-solar
File name:30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e48.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:684'544 bytes
First seen:2023-01-04 17:40:26 UTC
Last seen:2023-01-04 19:29:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:SaLXhecY1AUUnp3iJtPyqsxVwXtKWbcja6m1h/Fvln1fKl:SaLRel1/Y3+ybmbcu9/Fvl9Kl
Threatray 4'171 similar samples on MalwareBazaar
TLSH T167E412862A51EFE6D5083272FE2462F22952DC4CF50D329B0677FF8DEE6DD1580358A8
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4d55214949410727 (1 x RedLineStealer, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.65.134.165:55673

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-04 14:55:37 UTC
Tags:
trojan loader smoke rat redline
Link:
https://app.any.run/tasks/0f1ff7cb-5701-4cc2-b398-8512ac93b4a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349453/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.58798.29313.21330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Enabling autorun
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63b5ba3040e878e30422b286/reports/76f7dde5-82d8-49da-b401-2ad442302e4f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52bd7ada-6617-47da-8eb4-256fbafb8a56
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145238
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 16:38:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdqku2hdeshiaeauopfg6eky3wj3jynluhsipu27nsznmzuxhzla._file
Verdict:
malicious
Similar samples:
2271dd64f293714d67e83203208ad1a9bfaa4ac31dd9c0b252645b0a3d3bfb94
RedLineStealer
2416eef956b39e6a57f100b4b2d368da0e4d848d90924c2af068845c9c691e86
RedLineStealer
40e33edbe3cc188d6a3c4e535344b8d2cc94ca910dcd7cf57f79958010338dcf
RedLineStealer
68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603
RedLineStealer
7fadbd60573858ffed6181a05604701a0ddf5f38cdb9c0c097cd55b17f9e0d5f
RedLineStealer
81bf53fbfc3cac4f4e2a4d35692127d7a5f32d8b2c06fc44e30775c4ac0be8af
RedLineStealer
92d7328364d21a2beefd79c8932445ebb5696acf75f22fb9cc87d76def3c5b58
RedLineStealer
a14600c06ba898ae24152bfdc01c6c514007dec5d81d95161f5fdb3e6399adc0
RedLineStealer
c98bf80d5e23903e4934015e75f6c036130296519548b6014575207d2d296201
RedLineStealer
eb753a672a27151de8865bcc26f5f8d736b3bb1b49fd895f065f7c900221ef84
RedLineStealer
+ 4'161 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:7743 infostealer persistence spyware
Link:
https://tria.ge/reports/230104-v9ez2aha43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Modifies WinLogon for persistence
RedLine
Malware Config
C2 Extraction:
185.65.134.165:55673
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1f90ac6b-3175-4bcf-91df-3cac718968ea
Unpacked files
SH256 hash:
f8a99647643652e2b9b6248ceac9502ed710c3724f95deea4e59da663faddda6
MD5 hash:
49dbb62327a84dde651a7fd0dde9489f
SHA1 hash:
951b9662e403c8a26a6b4d7d9e1fa6809bd7ca5b
Link:
https://www.unpac.me/results/0a5d7d9a-8d0b-4962-af9c-51ac4b2960f5/
SH256 hash:
15c358cbcbc0add40960d90b95a87468437f1f816fcc853b5c3c0796a2af68a4
MD5 hash:
f523f0d5dc525ac25b2f2203e51e2087
SHA1 hash:
615c38be19cc1dd15a5804d52620c5165dcc405b
Link:
https://www.unpac.me/results/0a5d7d9a-8d0b-4962-af9c-51ac4b2960f5/
SH256 hash:
fffe7724a86e7ff0074194b7b88bdb567e1d34056bcb13021833115a6e47a76b
MD5 hash:
df41235bad80079342fd7541548b7e01
SHA1 hash:
82c30c01e6bd5adaaeb9cf8a1867d07da05033e6
Link:
https://www.unpac.me/results/0a5d7d9a-8d0b-4962-af9c-51ac4b2960f5/
SH256 hash:
30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56
MD5 hash:
546f051f252a9c7fb58879a60216b5e4
SHA1 hash:
420ea0835999e3ee855dbe9082e0adacc2c71a70
Link:
https://www.unpac.me/results/0a5d7d9a-8d0b-4962-af9c-51ac4b2960f5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30e0aa68e324/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e487d35f6cb2d666973e56

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/349453/
  
URLhaus
https://urlhaus.abuse.ch/url/2497446/
  
Delivery method
Distributed via web download

Comments