MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
SHA3-384 hash: fcafcbede47271684a873a6eb52f3726efcd728e2c173e6bda0ca972cbae109962baddc54e90530c3b7651b190b3e085
SHA1 hash: 5d54ca9bcf2247a439156e35a1b7b6b19276983c
MD5 hash: 514fa08eb39ae9a04e6bc95233b7af02
humanhash: jersey-washington-oregon-red
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:354'816 bytes
First seen:2023-07-31 12:52:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a01249a11ad56cc27bb7173ed6438e32 (1 x RedLineStealer, 1 x Smoke Loader, 1 x RecordBreaker)
ssdeep 6144:CtFwQ2mAFQwI/jJbn6dIcZgv6u42YPVh4AUqN8sYItn7:Ctk5FQwILFwwv6u42YPjzqUt
TLSH T18674E021B5C0D073E1679A305970C6912A3BBC67AF7595CB33A82B3E2E702C14B76757
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d0ded2d1d1d2dd (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://95.214.25.207:3002/file.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-31 12:54:54 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/1d235292-f546-4c43-a7cb-fce1b1c83fd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439429/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.5749.22950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a file
Searching for analyzing tools
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64c7aeafa108b876ac8487b3/reports/ab747d28-62b0-4a64-b908-5e69592b91db/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22ad84a0-3728-41e1-b288-4dc87e08accf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283178
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 12:53:05 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2orzhmcjhoslnhqski2mexd4fjuau5ct2fyzxcas5fs7c4gmvrq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230731-p4l89sgf8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
51.89.201.49:6932
Unpacked files
SH256 hash:
f5d6462a2d94739de88ed00f6235a8b6297ed69f276c1b1b5eac019ffd76832c
MD5 hash:
414f2bd73f5fa592f629ca2583986212
SHA1 hash:
bdd104e676335baa9ade66f3d0bc6c3c02ee7efd
Link:
https://www.unpac.me/results/f3153059-a530-4b14-99c6-8a88517eb2ce/
SH256 hash:
5d1835b7abe9635775381d92c69be21a845302b59627c983231637b0e03cf083
MD5 hash:
905f316e5faf8833fbfffb9624b33a7a
SHA1 hash:
5768ff57e4c51c2000018642142518ec91fdd976
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f3153059-a530-4b14-99c6-8a88517eb2ce/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
8a9b739843085c75a03fdad6bf64ee1b62b119f0ad1f0ded8b5e881ea6a9e4b0
MD5 hash:
0f11f1777a3880c7f24b2071c79be591
SHA1 hash:
5711544dbf93cbccfee2c43ab1bf71f455122ecb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f3153059-a530-4b14-99c6-8a88517eb2ce/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
f9dd467756989b972f91b74dd3d8a46177a487a466cd46ee295957b8f46160ab
MD5 hash:
da7faeda88e9104f5fde519966dab3d1
SHA1 hash:
46c0be2aef08a87e006807fddaed9da52e14ef7e
Link:
https://www.unpac.me/results/f3153059-a530-4b14-99c6-8a88517eb2ce/
SH256 hash:
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
MD5 hash:
514fa08eb39ae9a04e6bc95233b7af02
SHA1 hash:
5d54ca9bcf2247a439156e35a1b7b6b19276983c
Link:
https://www.unpac.me/results/f3153059-a530-4b14-99c6-8a88517eb2ce/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/469d1c9d8249/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/439429/
  
URLhaus
https://urlhaus.abuse.ch/url/2688389/
  
URLhaus
https://urlhaus.abuse.ch/url/2689675/

Comments