MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2
SHA3-384 hash:	9fee0a521c0c61541cda27db1455671d26f3de9e71c7fef7eb7d95dd087b831daff53cc27a5eac8a1ea4034c2fbfe789
SHA1 hash:	48d5ea799400caebc1f2c572dec2813fd9e46893
MD5 hash:	ac08d04e9fafc4bf8d4ae8880dfc6736
humanhash:	fix-beer-cold-kansas
File name:	ac08d04e9fafc4bf8d4ae8880dfc6736.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	343'040 bytes
First seen:	2023-02-01 14:34:48 UTC
Last seen:	2023-02-01 16:51:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	66bfc39816e8f6ee52bb21c72f57e3c6 (7 x Smoke Loader, 7 x RedLineStealer, 3 x Amadey)
ssdeep	6144:mWgsCh9LiV+7+d4ZRewkF6CB4c0QjVzP05/cdxpx1mM8a8YH2PqXaUx7FN2:mWXU9WV+7+2eNF6CKcpjVzP05/Chlv8G
Threatray	15'449 similar samples on MalwareBazaar
TLSH	T15A74F13275D0E07FC6B301709D20FBD46BBEA5311979480B7B58066E6F70AD1AA7634B
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	816a6e6a6a6a6a60 (22 x RedLineStealer, 8 x Smoke Loader, 4 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

52fca4d08faccbd7d3f9a487158ed24a

Verdict:

Malicious activity

Analysis date:

2023-02-01 11:13:25 UTC

Tags:

trojan amadey loader rat redline

Link:

https://app.any.run/tasks/bbc79515-09d4-49ba-85ba-0b9f9e2c1e77

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/359048/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19258.11723.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Unknown

Threat level:

0/10

Confidence:

75%

Link:

https://www.filescan.io/uploads/63da789889bd67c10fdc0481/reports/b0fc32f0-cf82-4d76-8991-63c76f368e1b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5483a7e1-e74f-4ea6-802b-fc6c7e284460

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1163791

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-02-01 14:35:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ldztst6wg7yijhxetom52zvyndas3a4g6r75hgbbuabj6syp4xja._file

Verdict:

malicious

RedLineStealer

18462c2005b53bab1b5417eb71b3b810eba511da0099785a04a020c34ec13deb

RedLineStealer

19f2539486d7b7a3c3c5f2e81851ef4220cdb5adb95778d1b7464fdd2b9f506a

RedLineStealer

229484c313e746b213dd8a5450d9287c0ceaab277da8e5e4b0b75b7d57f363ef

RedLineStealer

54ea63fd5a034285a7f3579cbf5301f0c7ca6d0c7beb98c39026e535710b1351

RedLineStealer

631ea17c524a31a72bd97071aca991712c59b1b3b69857a5dbfed5a81af18a86

RedLineStealer

7a0b21299484bd83d27963c5ae20bbe1ff83961cf156e7a54fefb463f9d3f477

RedLineStealer

8dd8a1c9cb745d294c0a776f24c0f9d1f231bad472dc842809670e34e4cdfaf4

RedLineStealer

bdadd5a7fe2dc1cedc9a218ea29f979cb834e163cd144055c3351a9a9996be07

RedLineStealer

fce6fca0152d67e557b790f4f54628366a14e7a0758e218ef0afe0f56fc479c9

RedLineStealer

+ 15'439 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:fredy discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230201-rxz8naca3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.170:4132

Unpacked files

SH256 hash:

44a1bf37db59ffefc1fac2412110cbad2972d28ff563477367a68fae8d7cbd41

MD5 hash:

4255fc1fef03063dd4ba5095fe84d2f9

SHA1 hash:

8434939b022c2bef23627d1e4fc4e0726e38f38e

Detections:

redline

Link:

https://www.unpac.me/results/965bb92a-8b8d-45e7-897f-aa0d87c3c27d/

Parent samples :

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
6f69d4bea4681b9ef42b65f4a4479bcaa0824d21f71020a8820e3e507aca3e4d
93691d155e47e29109a94902362d651cdf5dc5ba17b1e8b665c4fc99dd370e1a
45abce6e11b5dec3a8d554e632e30609ce1998db3d969bc0117449976e45c730
c66cd92a155b70f1335dfcff0825bf851b4b1e9c6ea53e6d6087fd87df8ebe50
58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2
19f2539486d7b7a3c3c5f2e81851ef4220cdb5adb95778d1b7464fdd2b9f506a
768eba7cebce8cef3a57585b6b718bbcb4ce6b3a63453a81731fa1285ce39e8f
41fa0edee86cfc72ac4bb3628b3773269038ca1227fe3abe88b878e39c4fdff9
1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

SH256 hash:

57c14ed6abd44dc0c82f0b7d7d157297f06625213099468658862d446f4bddef

MD5 hash:

cf403e03ec81ae4c9f2046f1fc42b619

SHA1 hash:

8332ced036e9310035bed471527c4bfdec20d9c3

Link:

https://www.unpac.me/results/965bb92a-8b8d-45e7-897f-aa0d87c3c27d/

SH256 hash:

38819db2952f3a782a5968b2c0e5a4b4ab6b49577be5949bb7248048013a21cd

MD5 hash:

785b173a87fcce653364a9b0dd2f4065

SHA1 hash:

3b160f4590045a14ddd7bbd7405e7b4b5dd9c0c7

Detections:

redline

Link:

https://www.unpac.me/results/965bb92a-8b8d-45e7-897f-aa0d87c3c27d/

Parent samples :

45abce6e11b5dec3a8d554e632e30609ce1998db3d969bc0117449976e45c730
58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2
19f2539486d7b7a3c3c5f2e81851ef4220cdb5adb95778d1b7464fdd2b9f506a
768eba7cebce8cef3a57585b6b718bbcb4ce6b3a63453a81731fa1285ce39e8f
41fa0edee86cfc72ac4bb3628b3773269038ca1227fe3abe88b878e39c4fdff9

SH256 hash:

58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2

MD5 hash:

ac08d04e9fafc4bf8d4ae8880dfc6736

SHA1 hash:

48d5ea799400caebc1f2c572dec2813fd9e46893

Link:

https://www.unpac.me/results/965bb92a-8b8d-45e7-897f-aa0d87c3c27d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58f3394fd637/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample