MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
SHA3-384 hash: 8d9926037a2c282747da9024d5b2d9c16d4008d2f93d41af774407ba2a93c0a735a679b2b3684570a2fadcc429119565
SHA1 hash: b5525cc6046115be644943da0668c7f96ec61e5b
MD5 hash: 765df00ae025cd5e708c8f905717afab
humanhash: low-coffee-double-uranus
File name:765df00ae025cd5e708c8f905717afab.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:473'088 bytes
First seen:2023-01-05 08:50:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9ec3d10eeacac49f6e80fae8eca27e7 (6 x RedLineStealer, 4 x Smoke Loader)
ssdeep 6144:5mLeNB6mBqES187kIQkvUQaKXMRFIBlloxupmL1E/DjT:5mQB6mBPSe7k8MQrBvoxupmL1E/
Threatray 19'725 similar samples on MalwareBazaar
TLSH T192A4D000F366BBD2FC13C57DA809DEE177ADB9658A10E51F2358255F2EF4BA0C272618
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon fcfcb49494949cc0 (6 x Smoke Loader, 2 x RedLineStealer, 2 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
765df00ae025cd5e708c8f905717afab.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 08:51:09 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/fc77bcb4-f4c9-4b7e-93fb-77239000d4e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349596/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.16369.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b68f7740e878e30422def1/reports/64a64f59-0a9f-4bd0-9e45-4ca2c5eb7986/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7e3c1f4-b8f6-4c6b-8ecd-92ebc11a2d8a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145539
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 08:12:03 UTC
File Type:
PE (Exe)
Extracted files:
90
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2n3fyhj6sfgmekwvxbtkez6cyileaagotq7b5ello52vbdcngta._file
Verdict:
malicious
Similar samples:
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
RedLineStealer
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
RedLineStealer
87285237de17eb4a4040d5d336d4dc555ee127fbdd0b75a9ce214a58e788f7ac
RedLineStealer
9cfd4fc2b533f3911f6ec8b394ce0b65aae140f262299d2bb91e7e23c1b459bb
RedLineStealer
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
RedLineStealer
ad8e7fb57b9a86ba5c438b0c1df78e2b490c9ecf21a246b1d9ab9cc6b4e61500
RedLineStealer
baa5c6d54c809d20b8a2b5c2645f7c6d99c627e1a8e2bb844f071fbcb3cee6e3
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
+ 19'715 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@2023@new discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230105-kr54dseh8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
91.215.85.155:32796
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/343ae633-eb91-4cc6-a5a8-15c40c5b702b
Unpacked files
SH256 hash:
623528d7352d7f2f6332ee3d9803dd7723650aa389d74f214c655aaa2367bf2f
MD5 hash:
1836f46cf175fa052b5b621264de0cd1
SHA1 hash:
f4cfdc88021b2a3083cfd00ba398a657ccf9de26
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a3fc9a9f-b0b3-40a3-ab75-c3aa596468f3/
Parent samples :
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
ad8e7fb57b9a86ba5c438b0c1df78e2b490c9ecf21a246b1d9ab9cc6b4e61500
2c57cc2b80aebe7b02349c1e229d4628ccf7a6f50d50c7ffb2ab8fa882f62b90
baa5c6d54c809d20b8a2b5c2645f7c6d99c627e1a8e2bb844f071fbcb3cee6e3
cb6d4d5c5b2d13fd3500516555d5552e38c4999ff800d1a9edd8b2eb530b4051
9cfd4fc2b533f3911f6ec8b394ce0b65aae140f262299d2bb91e7e23c1b459bb
b16d0a9838d88be2a53c5d9ca5a1499bef53d0559e780c7d2dfd3fa53d913fd9
87285237de17eb4a4040d5d336d4dc555ee127fbdd0b75a9ce214a58e788f7ac
3c56f8f0c595e632de86f9aa5865aba341b0e51092eae70e39336467774668f7
a638a7e4463db53729556fe2295a74728faf87589009fa9e6764b8f172cd175f
469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
d8e01062476f0cee7f7a804e33a1244012123542751243376c7e55f85aff73a5
d0eb3a7ceec84f6c5c5c654ece90b9cd1ef9e6ba455f7ceb4c824a0017896af9
700971a9880d4092cccf1f8af862e7ee32c358c79ead449db0c67fab8ee622d8
68196f08c518cad63ebf6538c76b49ac982fecdf4d1c2f004d60d3bfe8513f1b
82c1a672389c26c8aa9ddc2a09d8ed71f0b23f5fa493d9ff7ed71c53b19cbb18
00dd0bd82f4783fa842e6604598e40dd0ead0d3d5d0df5878c18dcf89032d1a6
6890c20621b891bbc399fc5295aed4538a146169751b73f1168abb9d4fd478f3
50699bf9784cab5ae73b37c7b213865f42cf2c936c87f0080ed5b882f7445203
2286dd3e3eae85e5aa331c9371bb6149bacbb394d8a38b33f1af34dfc1c82b2b
ae0d7c4bad7e8699d8a1004ac5995f3ff4c889254c3813f8a3aefed23e0bfa08
83d7fd2c93530ea64b25c9f3dedf6148266986a77e8259689119446f31993eb8
d9f99315c7bc826b74d77a60468a61bf4a8116906e06c264a9bb8b0ff110e0eb
4c512c3009ef6bc0a02abec84060b53953dbcbb0e87ef17251d1019293ada42b
7e92747ebdfb5e24f0fde62ea097f3c6a8366f04f19c9312e2c8ddf03f283af3
f0af1ec74da81f1333687a3e2eaff74c5d5576fec6a7d4f575d59fc82b148634
0354fd1add44f8ff4c683ba6b9a2c518f417e00b6c9d8d08bab0cc78a383464c
3b8b3da7192dc7e73a1f539d75ce4589050f62aa9d93a606aae9c9f8376eddd0
a3727adaf2de6bae0a02b458c1d6477efaa333e32e26ff9ca59274af216ccb2e
3daa3a818177dfaa9ac7f7d5e700d44ac3a11b4f0da40962d08e2c85925801e8
8ab7e5d4df7145d81a04a0d49c406ec8fda10c7f6e7507e29a29277cb154576b
191843e64eb15a8759ae09cf424276c7f231f7d19a526d215ffb0e53075027c1
ec3223e36b0e57a73d2b91a0fbef370915dc50c174b483658bc1390b7b5103eb
72e13ee3f2b24d3832d76a9356b89d3b0b4eaf04cd53a197e56447d00d72e418
fedc9389549072321e29de52764c0c38d7f0354df339dea4d68bbc8c31595e41
e015306e22f249bf9fb6e8a84610f817978af11f2a612f59e1f62597eafa76f0
631ea17c524a31a72bd97071aca991712c59b1b3b69857a5dbfed5a81af18a86
9a37f3c0878238fafdfcfa0bded56819ce029cadfbf110f843bac7e516763a6b
09cd10b5fa6e6fadbf9cb53fb2bed5ea2dffb8869a9e5eacaf859e0882283704
6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2
6acee31b7d70a5d29bd227366ca6ff41aa3f40086fcb6cdac93181bbb4052bf8
de1c0019ba6049f083253597fa8b05028fd13c99c604896ab52a80d8fc436a1b
755cee37572cd6adec4750735f2a6fd9cdb15dcf3c988d49771a1f5772b51705
SH256 hash:
d076c3acd946c00fdcc14e6ce236e1f75f2886cd681a126f3b39ab755aa676c7
MD5 hash:
b3b2f7755ff6ee5c4d22feb3d9e5320c
SHA1 hash:
a033cbecd8209c598e7a43875b85ad4df8e44a30
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a3fc9a9f-b0b3-40a3-ab75-c3aa596468f3/
Parent samples :
2c57cc2b80aebe7b02349c1e229d4628ccf7a6f50d50c7ffb2ab8fa882f62b90
baa5c6d54c809d20b8a2b5c2645f7c6d99c627e1a8e2bb844f071fbcb3cee6e3
cb6d4d5c5b2d13fd3500516555d5552e38c4999ff800d1a9edd8b2eb530b4051
87285237de17eb4a4040d5d336d4dc555ee127fbdd0b75a9ce214a58e788f7ac
3c56f8f0c595e632de86f9aa5865aba341b0e51092eae70e39336467774668f7
a638a7e4463db53729556fe2295a74728faf87589009fa9e6764b8f172cd175f
469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
700971a9880d4092cccf1f8af862e7ee32c358c79ead449db0c67fab8ee622d8
82c1a672389c26c8aa9ddc2a09d8ed71f0b23f5fa493d9ff7ed71c53b19cbb18
00dd0bd82f4783fa842e6604598e40dd0ead0d3d5d0df5878c18dcf89032d1a6
6890c20621b891bbc399fc5295aed4538a146169751b73f1168abb9d4fd478f3
2286dd3e3eae85e5aa331c9371bb6149bacbb394d8a38b33f1af34dfc1c82b2b
83d7fd2c93530ea64b25c9f3dedf6148266986a77e8259689119446f31993eb8
d9f99315c7bc826b74d77a60468a61bf4a8116906e06c264a9bb8b0ff110e0eb
3b8b3da7192dc7e73a1f539d75ce4589050f62aa9d93a606aae9c9f8376eddd0
a3727adaf2de6bae0a02b458c1d6477efaa333e32e26ff9ca59274af216ccb2e
8ab7e5d4df7145d81a04a0d49c406ec8fda10c7f6e7507e29a29277cb154576b
ec3223e36b0e57a73d2b91a0fbef370915dc50c174b483658bc1390b7b5103eb
72e13ee3f2b24d3832d76a9356b89d3b0b4eaf04cd53a197e56447d00d72e418
fedc9389549072321e29de52764c0c38d7f0354df339dea4d68bbc8c31595e41
09cd10b5fa6e6fadbf9cb53fb2bed5ea2dffb8869a9e5eacaf859e0882283704
de1c0019ba6049f083253597fa8b05028fd13c99c604896ab52a80d8fc436a1b
SH256 hash:
f2415e8ac02120f2cd1170eeef80ab710a074e41dbda7cf5a9af96c0e5814496
MD5 hash:
f8530ad04bd70e52c9f1e6427c021401
SHA1 hash:
50c408e94fc2ab9a679b6b23bb187c534a5cdaac
Link:
https://www.unpac.me/results/a3fc9a9f-b0b3-40a3-ab75-c3aa596468f3/
SH256 hash:
469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
MD5 hash:
765df00ae025cd5e708c8f905717afab
SHA1 hash:
b5525cc6046115be644943da0668c7f96ec61e5b
Link:
https://www.unpac.me/results/a3fc9a9f-b0b3-40a3-ab75-c3aa596468f3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/469bb2e0e9f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2487266/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349596/

Comments