MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be
SHA3-384 hash: 493989300510072825f64502fb2ebac0fe235e20b8b8edfe9fa3e8fcc71a1a43b07f62237288cc08a337e96d14bf7c36
SHA1 hash: a456cb2cb15dfbd1a7e3bc8335678cb33d3d73db
MD5 hash: ca6427f91f2d04dfa368d053f4c2da30
humanhash: indigo-uranus-ten-table
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'236'992 bytes
First seen:2022-11-12 10:06:40 UTC
Last seen:2022-11-12 20:48:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65030b2c95feb9c3384f60db7044d508 (1 x RedLineStealer)
ssdeep 24576:Eut7bhZK4p9tMyXX6NbFvl5acwOfnqoLKiq7pdXvupfU48rioBs2:EusVa0nqoeiqvvulzoB
Threatray 1'313 similar samples on MalwareBazaar
TLSH T156455C2AEB0755F4D6139771858EEB7B8B187A158032EE7FFF5ADA18B4330033849196
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_655905853?hash=G1eYfuRi9LEG6qChjS2CmTOQuB2r7Iif158xaGDMRQ0&dl=G43DANZVGAYDSNY:1668247466:xEwZOtbj3ipfCEPilUcJldaaEAorz7hFSpIZbNpHuCD&api=1&no_preview=1#new10

Intelligence

File Origin
# of uploads :
323
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-12 10:09:44 UTC
Tags:
redline
Link:
https://app.any.run/tasks/b2d201d6-b8fa-4c0b-8be6-e0b0164380a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/332875/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.30696.17031.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51655/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug anti-vm packed
Link:
https://www.filescan.io/uploads/636f704737a53af3a7f575c6/reports/695087e8-e9e5-45fa-ba8e-9176f956da7d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22e26c4a-a692-4fe8-bdc9-42d8fc73833b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1111810
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 10:07:09 UTC
File Type:
PE (Exe)
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhv5a2ua6la46hz7bzvhmdt3v7bwbgbnl57naplp5ebkm4uuuk7a._file
Verdict:
malicious
Similar samples:
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
RedLineStealer
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
RedLineStealer
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
RedLineStealer
d1044c3ddb7c69269654bdf6c25b0a3640b2a1be2caed5637b81b96ebdf04497
RedLineStealer
d92db9c78fa87d6a9daf30ba9abc7056480f541d7a6b0b17a9f100109df8e6c9
RedLineStealer
df8082a0727341606afda10b167324b33efd4b4f98f468f53d74b3588257c754
RedLineStealer
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5
RedLineStealer
+ 1'303 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:new1112 infostealer
Link:
https://tria.ge/reports/221112-l5m1eaeg66/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
jalocliche.xyz:81
chardhesha.xyz:81
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/41fcbd8a-d073-44d3-bf82-c49203a0439b
Unpacked files
SH256 hash:
cda1c20b1ea279f9e382bd137119fa649bc01085f4f5372b9301dd15bfe6ac1c
MD5 hash:
07e80ad75601efb8d0bf43b43b5fbe46
SHA1 hash:
16234de8ab01971551233328b79e94dd315dcd6e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/373782b1-e7c2-4d12-b6a6-299f77f073bb/
SH256 hash:
49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be
MD5 hash:
ca6427f91f2d04dfa368d053f4c2da30
SHA1 hash:
a456cb2cb15dfbd1a7e3bc8335678cb33d3d73db
Link:
https://www.unpac.me/results/373782b1-e7c2-4d12-b6a6-299f77f073bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49ebd06a80f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/332875/

Comments