MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c
SHA3-384 hash: ae11626f2d412660b5c888b12d62bfa254635f15bfa983c0ed5c1f3c908250629c8be7eea51e40f5ed6b5acebed1646b
SHA1 hash: bffcebdb85df033df1f4101e482a8b506e8b5f5d
MD5 hash: 78f02208b1ad70823473c716793549f6
humanhash: charlie-oxygen-speaker-high
File name:Dijklander Hospital sheet for an allergic client.scr
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:29'547'877 bytes
First seen:2023-07-23 07:58:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 196608:lxKGTSlTrIov0ZR+2DUoeVkHe0sUBF0zi9iM4TE2Do+61VPZuagcN:ljTPoviTzeu+0sLziL4Rkr1VPZ9nN
Threatray 573 similar samples on MalwareBazaar
TLSH T1BE57D8D634190A377EC2D6ADD1EA4100A8847047877BEBB45D347132A6BBFBB2116D3B
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon d2b2b2926c7492aa (1 x RedLineStealer)
Reporter Reverse
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
https://drive.google.com/u/0/uc?id=105imaSF9X9Klw3a35YEEWGpOA_6YiNtI&export=download
Verdict:
Malicious activity
Analysis date:
2023-07-23 07:19:14 UTC
Tags:
danabot stealer
Link:
https://app.any.run/tasks/d1968b62-0621-4956-bcd4-afc6e2ba08a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332822
Link:
https://www.hybrid-analysis.com/sample/594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c
Result
Verdict:
MALICIOUS
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277859
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277859 Sample: Dijklander_Hospital_sheet_f... Startdate: 23/07/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 6 other signatures 2->46 9 Dijklander_Hospital_sheet_for_an_allergic_client.scr.exe 20 2->9         started        process3 file4 28 C:\Users\user\...\Installer_Wizard_v9.0y.exe, PE32 9->28 dropped 30 C:\Users\user\...\Installer_Wizard_v9.0y.exe, PE32 9->30 dropped 12 Installer_Wizard_v9.0y.exe 9 9->12         started        process5 file6 32 C:\Users\user\...\Installer-X_v6e.6h.exe, PE32 12->32 dropped 56 Multi AV Scanner detection for dropped file 12->56 16 Installer-X_v6e.6h.exe 3 12->16         started        signatures7 process8 signatures9 38 Antivirus detection for dropped file 16->38 19 powershell.exe 15 17 16->19         started        process10 dnsIp11 34 91.215.85.210, 50443, 60176 PINDC-ASRU Russian Federation 19->34 48 Writes to foreign memory regions 19->48 50 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->50 52 Hides threads from debuggers 19->52 54 Injects a PE file into a foreign processes 19->54 23 aspnet_compiler.exe 2 19->23         started        26 conhost.exe 19->26         started        signatures12 process13 dnsIp14 36 5.42.64.53, 22314 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->36
Gathering data
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 07:59:09 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfgdk2v7fnsj6lptris4u3z5io2d5bbgithjby2bp3qcgoq5riga._file
Verdict:
malicious
Similar samples:
30f91a9f411187ee24ea1a19d9043c4065707e7c6754c96a8c7ad1fb18ce0d67
RedLineStealer
33e686777d4e60947c1bc7d7743f006901dd209ae7fa9c6bd3d758dfc9b0aafc
RedLineStealer
35e5460c102ca2f996d61d70d6bb06fb87014f7d2beccf35f3812ea534acd9d5
RedLineStealer
36194d07ea9897f2276215a1361291ba8e32843caf3056b4f096c213b1bfadb3
RedLineStealer
8525d0bc1e38bb74d592de9be2615da94ec0b81e611b0e456b3a51c40ab5baa3
RedLineStealer
bfbe18d15b02ca49b998ced257354495d126513f86e26b8ad6dbe1db9cd568bf
RedLineStealer
cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237
RedLineStealer
e905f262f2ec981ddf92c94fe44d96c14195f9bf0815f204c2c4197b16dbb053
RedLineStealer
f9430ec41806761aa165e278d49ed76349c5dd0592509ae0aed70bc74fe2f083
RedLineStealer
+ 563 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230723-jvd9eade98/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c

(this sample)

  
Delivery method
Distributed via web download

Comments