MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 22 File information Comments

SHA256 hash:	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
SHA3-384 hash:	1aa9df0af00b16756c2f62829b0b49ecdcdd679adeb07577655731e346f2c020e878b5837a710bedf26c5dd9d99b7b86
SHA1 hash:	bf41a267e768fca782e6861ba274aac58f79a959
MD5 hash:	963f526636c53e9ecf5af8025e0daca0
humanhash:	fourteen-five-shade-utah
File name:	963F526636C53E9ECF5AF8025E0DACA0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	582'144 bytes
First seen:	2025-01-19 12:00:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:UfLYRxA4Y5lyA/BxSPCPU0/iRsFpPQPht0XJ1vzUZdJFk7UQlbd9JU:XR6KRDPht0HgHUvbdX
TLSH	T1FEC4F1553269D803C4A70BB10A32D3F95378AD9AF920C7939FE93EEF79B6B412540352
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.222.57.84:55615

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.222.57.84:55615	https://threatfox.abuse.ch/ioc/1388022/

Intelligence

File Origin

# of uploads :

# of downloads :

5'008

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Packed.Boxter-10005643-0

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678e2c01b5602ee8cdad794d

Tags:

redline virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/678ce97f753e7f74f8735463/reports/6a46e2d1-612c-4d8e-95a0-f9bc45cebfab/overview

Verdict:

Malicious

Labled as:

Ser.Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3beeee41-3fe3-4e61-8b81-0d17ed1ca459

Result

Threat name:

PureLog Stealer, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1594596

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3/

Threat name:

ByteCode-MSIL.Trojan.Jalapeno

Status:

Malicious

First seen:

2025-01-14 20:11:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kxkie5vzdlqhwssle2vqotjpvze77xxh6it7yysypjdgs3wl6kzq._file

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:redline family:sectoprat botnet:cheat discovery infostealer rat spyware stealer trojan

Link:

https://tria.ge/reports/250119-n6v4hswmhz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Malware Config

C2 Extraction:

185.222.57.84:55615

Verdict:

Malicious

Tags:

Win.Packed.Boxter-10005643-0 stealer metastealer redline

YARA:

n/a

Link:

https://app.threat.zone/submission/712391e7-6f12-4bf8-8ee0-7f8eb378ae38

Unpacked files

SH256 hash:

eb121db69e3170a0f28a8be6007cf44724acb9d636255c1bb046779f966bf8c5

MD5 hash:

ca8a2b6fb507d773528cb1825a93c854

SHA1 hash:

af99f26eb675d09c85a63ffdf51671da31dc7cd4

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/203c5777-07fb-4dfc-9e6e-39c9390baeca/

SH256 hash:

9d48128d5b99c530636d565f87702504b7a87800323c0a55fd08d018263efb95

MD5 hash:

a09e94913b0f584c4de9fcd806ce9c91

SHA1 hash:

3db2226f195bc6ef3edab6ff4b069ace58878499

Detections:

RedLine_a

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/203c5777-07fb-4dfc-9e6e-39c9390baeca/

SH256 hash:

fe26a8a1df970da362283c68cfb162d4f1acc95a82ef2e8046a567083e658465

MD5 hash:

cd4c77cd32b55506c5682eba826ef4fa

SHA1 hash:

2205c17610803a3dbc2523a753f17cf9de0bc5b2

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/203c5777-07fb-4dfc-9e6e-39c9390baeca/

Parent samples :

4666a51c6fef5c674a2f9596f5dfc485d0ed15646c1009ae3b586ddc78ed0910
7a531101bc8522d52f45933945d6b8728ad7b7f3c9aaefd2d18742f8ec4000cb
ee6993e7afbf9a039db981542c0250e22fcaa01434db911732851c9e52bb38b6
6439c8e94bd2398ad15bd8cbf86a9ca9528cecf77506357e894a359880282724
441c8c73ea3f781774e9ee684d4d51127ec736c9fb6423fad0aea20695abd3c3
58dfe85f084bedbc1861ed4afada8f0e284a70e10c84065cc6df13adc9fb45db
f4e61d736a58a0b2adb7acfdf25eb70f7c11f78bb98c23692678fb562e5cb0f4
502495e27b074fbeed433e65b5b72a694dba9bf7b02cacce16456fdfa8c36a59
9109456918e7833784c58988098f87eb007e4038f516241972d4cc2450f43df3
ece7de25d48e50e93d3d60f600a7676fe24a520916844f6826b4837ac8dd7ebc
8d3b00bb743c8d64e425c6014136080805acaa3cac12bf62151bb1e19908a89f
ff686f645ff7a1b0672895a7a72a5ee528cd112b2469182c79c98f7621af607e
bcfeb4ec31e731899a0ddd0a608aa7ecbfbdbf37f4ac3810b275ba6905a1969b
1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0
68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422
f4da65fff4d9b2420e2375ce736d02b0dab3e4776115346c5219891ea8fc3c97
51f6f6e72cfb335f6e1d7936e91362c7993253ed665b772099327f90e5119682
3bee4d2ab33ac3f0605136f09cba556140d62ce9a0c1bdb1639159b43ae58943
e5eab0d46a0a0500431f1ef78dd03c8dc17b97794f558624dfa7a567e24245e1
31e7559f21054aca8a1cd2287e322f22e03ac6cbc84e1265c8ac1a3367403989
73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430
7eaa48d7132470ee30d85752c4d699c2667ef54c3b8270b9a67d9bbc41021bf1
7365e206478fad792a4c64390b32e1d21b16a5c080a6215eba8498c638877f06
a938112a54a6d8f1cb129c26253d2c11b2285837131c33d702a9e0cb5411c929
55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
effc68899a8894822054617b45d79a9b94f7b756c6ce55d0682c1c7ed7f52e60
4c51ade72aa2794149ab89c2db1913bbb7d9ffe35b8b19d0217744356c998744
125ec05200cbfcdfb774f734bcb6c32fbad9008f77feef9988fa9267e35e1ff4
994854c28e40e16874b726f21d183fa9209796321eff16fce8f638a7715d4c01
d1492c1b794e9e2825ab8c8dc030b73b18abe9b0c56a563edda6c9cb82921dfd
bb5414b3b9d636e081ef58e16f74b041a3eb30ec5eb4a4235fe46972eba0c519
02430eed2a0da0347c2b28a864ca61a55a79a925f4fbcdccb2806f2030c2ec4e
20da52004f3b7664034886b4a4f1b9fb5d8d89ef89daf874e6a28d349cc93364
fad0d7b591575802da0e35b68ece5c3e47aff15c4e4d21f7c1014cbd58ee4b70
381f81e90da0353da606d75889c7b361b98e281121a68198f8c04374451747a6

SH256 hash:

55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3

MD5 hash:

963f526636c53e9ecf5af8025e0daca0

SHA1 hash:

bf41a267e768fca782e6861ba274aac58f79a959

Link:

https://www.unpac.me/results/203c5777-07fb-4dfc-9e6e-39c9390baeca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021 Create hunting rule
Author:	BlackBerry Threat Research Team
Description:	Detects Unobfuscated RedLine Infostealer Executables (.NET)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_15ee6903 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_4df4bcb6 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f07b3cb4 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f54632eb Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample