MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
SHA3-384 hash: bb53d2173215016d02ce525341891e6873d6ccf19c92fc6e3a22b11bc9b9177f49c1a78db32e74e8ef4b4ed867c92c18
SHA1 hash: d011436be842e58bf5a70bb2c0e9a963a6d5011b
MD5 hash: d46d968df6c8596c4a2dd2e19bd3dadb
humanhash: chicken-kilo-cat-river
File name:d46d968df6c8596c4a2dd2e19bd3dadb
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:276'296 bytes
First seen:2023-12-11 20:37:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6adabf5929912c81c518ab88933ce307 (7 x RedLineStealer, 1 x LummaStealer)
ssdeep 6144:nOf2K2xa/WUE/y6sucuCHVc/AJteztTs/oT:nARUa4cuCHVcmeztCU
Threatray 75 similar samples on MalwareBazaar
TLSH T16D449D1217BC48E9F28AC4BFEAC091B0196AFC75E3A023EB725A415A0FE41D5477BF15
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
1f74315dca91bc894d55aaf284d95fd2.exe
Verdict:
Malicious activity
Analysis date:
2023-12-11 21:59:30 UTC
Tags:
loader smoke smokeloader stealer redline
Link:
https://app.any.run/tasks/e51e29f7-cc8c-4fc2-a8d9-5c75fc110241

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466188/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11812.12831.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6577732d8b5ba47db2dea01d/reports/a17aadb2-7f3d-4996-8d76-9e8fff993714/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ee051595-73d6-4575-a26c-309c58ea0d4b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1359119
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 18:34:29 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gigxxzl3rzlcjg5arex4pc67p65orvkpzbyjxsdmpt4y6vqyt4ha._file
Verdict:
malicious
Similar samples:
1f4bcad1edad0cae8ac0ad13beeb3ba0915057fdd5d26c0af51df0300a127a09
RedLineStealer
320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
RedLineStealer
503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
RedLineStealer
9665dcf0f35367e093f2534c42cdcb6a92c929892ca0b11ab37cb8ee82f1314f
RedLineStealer
e07e69559c0b24d62ec790b84075f18c9fa8480780eb8abe7d3bc10897a86a78
RedLineStealer
e5525c0cc38c18efafa4e48acd35b106ee0debd8c4ab1f45c6e64866ba8b6dbb
RedLineStealer
f421c256d4de1a3dfa74bbb4b48e0376bdc2ee18fa3808dcca085621fdde46f4
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231211-zepm7sacd3/
Unpacked files
SH256 hash:
7d47c8005b810d93d72c71260cdece50477693473666e5e919f4e6d967718134
MD5 hash:
382931c9ca4c662cee9809dc1cbc0add
SHA1 hash:
d46d8828e2476b547eae069e9a41e7e9b871f088
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/89fc2f54-13e2-43b9-be5f-bb028effc529/
Parent samples :
7b3a28bfe1eb241dd539336313198a6684bcbef1905349b8b0859de555bdf3dc
320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
8de352c1bca0c712c63f4ca6fcc6f725f1cfbb462d39489258ea8478787bb669
2b82e968c7dc0b4726acb9ead06092a059fbf34e9068532ad1151c479e5b331d
SH256 hash:
320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e
MD5 hash:
d46d968df6c8596c4a2dd2e19bd3dadb
SHA1 hash:
d011436be842e58bf5a70bb2c0e9a963a6d5011b
Link:
https://www.unpac.me/results/89fc2f54-13e2-43b9-be5f-bb028effc529/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/320d7be57b8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 320d7be57b8e56249ba0892fc78bdf7fbae8d54fc8709bc86c7cf98f56189f0e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2739672/
Cape
Cape
https://www.capesandbox.com/analysis/466188/

Comments


Avatar
zbet commented on 2023-12-11 20:37:09 UTC

url : hxxp://185.221.198.96/traffico.exe