MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc
SHA3-384 hash: f3ab7ca2782448e1907b89fc04dc7361fb2d646227b2e88e3e83d439d9c4e47e75d873a651f458ac594476050ce95821
SHA1 hash: 778f7a932004c9aff7d26b98ff1cc3dd746e00d8
MD5 hash: 2cb1b3c81752a22e37bebb0584e3ff12
humanhash: west-sad-skylark-december
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:187'904 bytes
First seen:2023-10-03 09:27:22 UTC
Last seen:2023-10-03 10:38:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f707ada0aac189999ec6eb4a5a71dfbc (8 x RedLineStealer)
ssdeep 3072:DoXsPUOyi55lyjlmG5gJVX/2jyfvFkRzC2Tbj6lpaippjIQHPWGLC8eZk1SGj2vv:Dom55lyjlL5gj/2TilpVpjIQHPWGLCpF
Threatray 817 similar samples on MalwareBazaar
TLSH T15B047D54731C82BEC1FB5BB210118424271B438942E8FA9D76E396E93FF8BD2659D70B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_666490104?hash=GiYzqXUKPPAGkcqgKE7jMMikgjIymSTw2DA0YUehpVD&dl=Uw1eXlXdjbQi6CjIjz2ffS4OsHrl6gMw17vzCr6Fw7L&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.30708.27073.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/651bdea200484a1560012f27/reports/f097466c-7e95-4bb1-b3ff-6b243cd48ce3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4fe8712d-2526-49dc-a22b-9d935afb6fad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 09:28:04 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kz7o23wpftowopghd2i2g5qrb2zhgyrz7z55oaque57cyxdyvhoa._file
Verdict:
malicious
Similar samples:
11b6a605fd5eef9a3906901c6bff84d798f1bf70f7432bea6a32a5f330cbfb35
RedLineStealer
24b59d3e70544f92ab86abdb9281afed6e1f0e028b8a7ef7f67211839717e646
RedLineStealer
42322e745f3759573c25222a149eb1be37e3899490abce4dc474580cf260d123
RedLineStealer
59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff
RedLineStealer
6f4862590486f5484716a3b3006b57f91e87c45f1e65fe0d41f6e80086fcad31
RedLineStealer
e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245
RedLineStealer
fbf47a5d81f5bd6a68af9696a43cb4dbf4fffe8774dde6f34661f2b38fac8e1e
RedLineStealer
+ 807 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231003-lfbababe62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f35ab893756d820b9ee54ed3820b9d5be08339caa26c9ad5b42b6353504491a1
MD5 hash:
74a25a1a7b182e56534b6a6e4f4dad46
SHA1 hash:
ca6a2839b1c668ea5d0e05a6f716aad5567d5b83
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f676d594-459e-463f-92cb-022d9fa3c43c/
Parent samples :
c4b216b616c005c7ae84dfbdc5f2a99172825e1ee362555ddad8ed29f23313d6
567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc
f777b3ac9761709880db21aae1eaa2adece3d2240a20408edc5917f9e9205b52
44f815eeb2769d9881d9a4fafe9e36e7a8c3de1a2e6cd70af5262add15d376e4
SH256 hash:
567eed6ecf2cdd673cc71e91a376110eb2736239fe7bd70214277e2c5c78a9dc
MD5 hash:
2cb1b3c81752a22e37bebb0584e3ff12
SHA1 hash:
778f7a932004c9aff7d26b98ff1cc3dd746e00d8
Link:
https://www.unpac.me/results/f676d594-459e-463f-92cb-022d9fa3c43c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/567eed6ecf2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments