MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6
SHA3-384 hash: 8127d6396720754420c87b0dbbf732f9ffccc32b64768303e7abb769a218feee4aed7838b775a4ef14ddbfc36b5fc528
SHA1 hash: 5068b7beb3412f81c2ffa97aa67a804d63a47575
MD5 hash: 0bfbdd1fe9f831f43d65b03253044ce1
humanhash: sweet-romeo-fifteen-maine
File name:0bfbdd1fe9f831f43d65b03253044ce1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'517'783 bytes
First seen:2022-11-03 01:05:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db35ea5c80fc8389ab141cd45083bdd3 (17 x RedLineStealer, 1 x RecordBreaker, 1 x DCRat)
ssdeep 24576:qDNLYLYBuocHhMoxfQ6rISrWCKJUocSGcVGpGhhQLLsa970eisl3RuQ553137:qDI8CK+cGOGpGhhQ2sl3h
Threatray 584 similar samples on MalwareBazaar
TLSH T125C51A035BCB0E75DDD27BB4618B633AA738ED30CA2A9B7FF608D43559532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0bfbdd1fe9f831f43d65b03253044ce1
Verdict:
Malicious activity
Analysis date:
2022-11-03 01:10:57 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/09d75010-816d-4296-8842-7cdcdf6a7add

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327481/
Detection(s):
Win.Trojan.Fragtor-9955199-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47675/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed redline spyeye
Link:
https://www.filescan.io/uploads/636313fbc4af2d19c987987c/reports/361fb1d5-45cc-4bfb-a841-0f9fe21947a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cd2030e-214b-4c47-9baa-9ea1e57e4bcb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1104021
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 03:16:17 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2jfsz6sns2doppdek66mbeurmq2meaielkswab4qlvyr5bgndta._file
Verdict:
malicious
Similar samples:
02c1c4241e1211580f078778611ae7c11d6f7a5bdef75cf01cbb6a5185f1c3a8
RedLineStealer
2a1276d50bffabe2b41cd6c789ef1b5df02080d1ed1c87acce6bcc91f0ac29f8
RedLineStealer
42c5acd0133e2653a0e4f9792906d42f16cf44c6ea920dca1edaf74618feb437
RedLineStealer
4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
RedLineStealer
677817a0182db451275cf23a4c1b96bb9d00ca6c3c50b244723bc6c0ef96b219
RedLineStealer
7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c
RedLineStealer
7ec738bfdf48fd3a07f87eee1bf8f17a4d790b97263e9655106369c642bff090
RedLineStealer
b61546030dbe1d3839d0244d814e48f88b36f70303750590b67cfed3486a4e8d
RedLineStealer
f8a941938484a00306232e77b8af41e7f81df56e4aa9864a2b59ea8ebfbc892b
RedLineStealer
+ 574 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/221103-bf3pfsdcd4/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.160:8673
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d348b202-94fe-4323-a37c-72b18ac20f58
Unpacked files
SH256 hash:
9224c5047790a729e31fae61cfe7f7df524d5176b686aa1340d02ab79965ad3d
MD5 hash:
4db20e60a963f2be3de8c60c7a194bfd
SHA1 hash:
931cb08602cdb54cc820d445147aa896227bd5e2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f9597ae3-c83a-4a2f-b5ad-f9eccf0a7def/
SH256 hash:
46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6
MD5 hash:
0bfbdd1fe9f831f43d65b03253044ce1
SHA1 hash:
5068b7beb3412f81c2ffa97aa67a804d63a47575
Link:
https://www.unpac.me/results/f9597ae3-c83a-4a2f-b5ad-f9eccf0a7def/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46925967d26c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/327481/

Comments


Avatar
zbet commented on 2022-11-03 01:05:12 UTC

url : hxxp://jhtmuw1v.beget.tech/build/V.exe