MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0
SHA3-384 hash:	d6a373a8f17f691908762db25e70cbdd9f8fe1fc79e2e6ee4a098e968ae5d3cc999a9e85bcd332c586e4f998dd644d32
SHA1 hash:	11ec3161704fb8af9522fc8aa545edd527ddcb50
MD5 hash:	07f78b62bb33bb3f965ec2bfed72d91e
humanhash:	missouri-quiet-idaho-diet
File name:	70058773.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	340'480 bytes
First seen:	2023-05-13 22:44:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f021aa83c78590c8e9b0414e5514d473 (1 x Amadey, 1 x Rhadamanthys, 1 x RedLineStealer)
ssdeep	6144:r4F+1y72FlkWdJQlV2F6DdoHOUhXdNaD1:rL1y7u/EWsdshFdNa
Threatray	40 similar samples on MalwareBazaar
TLSH	T1F074295382E13D44EA668BBA9F1FC6E8771EF2508F49776D12199E5F08F10B2D263B40
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0001100284104105 (1 x RedLineStealer)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

70058773.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-13 22:55:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/85da01f3-3904-448e-92ec-e5c83f2ad318

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/388971/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Blocking the Windows Defender launch

Disabling the operating system update service

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83914/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

amadey gandcrab greyware packed

Link:

https://www.filescan.io/uploads/646012f2e68f9cbce80c3a94/reports/ef7b4893-efa8-4aaa-b479-89818052a4e8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c9cffd4a-4f3d-4f1e-a980-bb669ab5c2b6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1232637

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2023-04-28 05:03:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jhleybz55acyvqua2bzrhp35q67a3vgouj3wm63zpoamf37oslqa._file

Verdict:

malicious

RedLineStealer

035c9bb80108098f5ecf852200e5760b9bc2c7fde5038c448f5a9fef70578c16

RedLineStealer

2bb3f8f4fd9426b25ba8ecb2636114cb322920f2921bd026ae1993f0279852f6

RedLineStealer

33d9b9f05bae370e7003a3ac885b1439ce19eae1313d2ef7fa8484c92f6ec831

RedLineStealer

a440dc1fa969ed60fa4ca88d02c6d6748049684de038f5264b23c6ee4a5a991e

RedLineStealer

ad68078b09e38ac511f58bbd2a8cb9242e8415ae6fca7fc44daed1957f4be6ed

RedLineStealer

baee2df2edbc11e49528f1949fe0d56bfbdfb8c3bb6bc5001fe51b97987f517f

RedLineStealer

da030cef1bc08dfb6a6da58b884827b41be987d7b274d65b23bebfe7adee4e79

RedLineStealer

ef9c333d991d81cd06738ae618dcd6844da8a119621d8d71a2b05f45005a6437

RedLineStealer

f6178a5499c6c8a5c24a0c6ab921859725862ddae64ba2de3c94857c116e77b7

RedLineStealer

+ 30 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/230513-2pebbsbh6y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Windows security modification

Modifies Windows Defender Real-time Protection settings

Gathering data

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49d64c073de8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49d64c073de8058ac280d07313bf7d87be0dd4cea277667b797b80c2efee92e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/388971/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample