MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8
SHA3-384 hash: 45945194fa03da64888a07bd44ac6abd7e23dad7464947a2080c5a825a1d6b5ebe2f4f44ff18282af60dca43f556d9f5
SHA1 hash: a249f3e3597503146fa85f671480f20f3844e1e2
MD5 hash: 4e60410e32f7800ecbbfb20c99b6c454
humanhash: artist-idaho-nebraska-bulldog
File name:4e60410e32f7800ecbbfb20c99b6c454
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'411'792 bytes
First seen:2022-12-05 22:40:21 UTC
Last seen:2022-12-06 01:27:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c69529633147fae61949183715b7d49d (1 x LgoogLoader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:CimB9A5TmTEA4R3TV9SBERJYXg7FP6fi7Ikj5gaLxHC9tFV5eUYJ9f0U8WUK5qka:CFA5A4t+oP6q7L5jU5exTf0UBXg
Threatray 3'434 similar samples on MalwareBazaar
TLSH T16B651200BEE1432AD4A702BC092AE7E261B5F9BE3A768097376512179F711F0E954F4F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4b2c89ed6ccf0 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:www.startech.com
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-06T00:00:00Z
Valid to:2023-08-18T23:59:59Z
Serial number: 05c171e14a1330e1892ba2a1d097b3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b33ffd6ea0f3ff77319c574c32083245255c0cf14c927b99813721caf8cafd5a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-05 22:38:15 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/3de4b6b5-c5ad-4c51-84bf-4daf7b68b43a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343104/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.4115.13478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Changing a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed zlob
Link:
https://www.filescan.io/uploads/638e737ea2c2485912c7a0bf/reports/2b94e2a9-0108-483b-8310-c00c0967e4fd/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3cd29e98-c89b-4524-9c0c-0722c0f61bd2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128495
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 22:26:36 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
14 of 26 (53.85%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfdhwsb4rkwdzwgpuv53tlc54dvrpg6elcwzeuzs3w2gmrnoaxea._file
Verdict:
malicious
Similar samples:
01a1484a30212f8511f04ed162f54d04e921598154bde03e3c594caa41d70342
RedLineStealer
698be97c5a81c14f1b7d7a21065a41a694c4bf5d45fd0b4b8b8e5b1b2954e80f
RedLineStealer
7418770a1f2b64379c4d9b780b1d7988c54d571987cee942595a48be0d10118c
RedLineStealer
75517e683e81171572dab2526e9583d31c679744b12b251d7d6c6cf14f83f21a
RedLineStealer
9db991fdef3df8cc988860aae951bbf165ea6625fa655729ecc2625bef9293c1
RedLineStealer
c144d8f95f85a7a2467ebf1594045ec5340ab0251b409503525ed3947e382a0d
RedLineStealer
+ 3'424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221205-2l3vhsdh39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
405b7717442c538efd9a8b60736ea795044b0c7a02ce0c42554b5c6cc192d35f
MD5 hash:
212f2ce6da00fd0540d74fedaa188ebe
SHA1 hash:
a231b0eb337861e4dffdd078ff41609bd92fb1cc
Link:
https://www.unpac.me/results/5868296e-2471-4129-9937-cecf1cb7228e/
SH256 hash:
59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8
MD5 hash:
4e60410e32f7800ecbbfb20c99b6c454
SHA1 hash:
a249f3e3597503146fa85f671480f20f3844e1e2
Link:
https://www.unpac.me/results/5868296e-2471-4129-9937-cecf1cb7228e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59467b483c8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 59467b483c8aac3cd8cfa57bb9ac5de0eb179bc458ad925332ddb46645ae05c8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2446871/
Cape
Cape
https://www.capesandbox.com/analysis/343104/

Comments


Avatar
zbet commented on 2022-12-05 22:40:25 UTC

url : hxxp://31.41.244.188/lego/CRYPTED_BSI20221205.exe