MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0
SHA3-384 hash:	74f54efa06d1b9e3fd3d8862c8544fe774a848b9636ef68595c72500b42a7987f172350d973777401e144a0bda7825ca
SHA1 hash:	691f4c4d7b8b126708fcd78b2f4b576af289640f
MD5 hash:	67be58406c35ca33314957be60ec7402
humanhash:	blossom-triple-mike-oscar
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	296'960 bytes
First seen:	2023-01-29 10:27:39 UTC
Last seen:	2023-01-29 19:30:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	3072:bOhX0N7+f1c57UQyHjTweABJPNG8l5CbgCj9E0OMx7e:ihEN7+ZHDmBJVJOgv0OMJe
TLSH	T173541E46B38999DEF4913F3084E23F67137A2E60205D1E43AE3276CA7E751C1706F6A5
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	308a8a8c8c8a8a30 (6 x AgentTesla, 3 x Formbook, 2 x a310Logger)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc139074685_655168416?hash=Vatz1CtFp7Er7hnZCMftbzE7BxxlwbsqcX5t8CWa25g&dl=GEZTSMBXGQ3DQNI:1674987822:hTyneu53auvTPJB7V5SJjfdZhmH5AmkJYTZruZldRjc&api=1&no_preview=1#sup1

Intelligence

File Origin

# of uploads :

209

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-29 10:28:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/8187de4a-8d15-4a6f-b58d-641cfa41088d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/357904/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Launching a process

Creating a process from a recently created file

Creating a file

Enabling the 'hidden' option for files in the %temp% directory

Сreating synchronization primitives

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Changing a file

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/63779/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

advpack.dll anti-vm rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/63d64a3589bd67c10fdb3b96/reports/ad67b54f-e22e-4715-8e9f-b052aafb9711/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3189f8c8-c865-4e02-b844-ea2c513d50e0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1160996

Signature

Multi AV Scanner detection for submitted file

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2023-01-29 10:28:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 26 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k6ktficlmovmlgjacdkw7jwmtauflmmu3f4c6xh76oygggjkstia._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/230129-mhnh4acg3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0

MD5 hash:

67be58406c35ca33314957be60ec7402

SHA1 hash:

691f4c4d7b8b126708fcd78b2f4b576af289640f

Link:

https://www.unpac.me/results/5fb67eea-7cb0-4e7d-950d-8e247a00f560/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/357904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample