MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
SHA3-384 hash: 90c4d194bdffb6f958ad4ce4b2e57cc4ec59ededf500b9b1bc32fe908542ed1e7eaa5e9bd10186d4d44804a2d1892ceb
SHA1 hash: f4fc679b178e2efd58ce3cfb508a6991102eabb8
MD5 hash: e185c5dd5842c1f510b3d170ca7fbd35
humanhash: may-zebra-ceiling-happy
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:347'648 bytes
First seen:2023-10-14 19:45:49 UTC
Last seen:2023-10-15 07:05:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89b4938a013d6b8954f68c2ef1293c62 (10 x RedLineStealer, 4 x Amadey, 4 x LummaStealer)
ssdeep 6144:gEJsICnU9Q8gq5Lrr+uUwTcKPcEhlXsYF6VDy4ghkoK+ABJ5qKEeRMfIt7KdzPoJ:gosICnoDUwTcKPcEhlcYIVDy4ukp+ABT
Threatray 1'112 similar samples on MalwareBazaar
TLSH T125744A0CE8CBE33BC9D14F7AF101EB19276EE9611560B66B23150EB514D0886D7C7EAB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
41
# of downloads :
313
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-14 19:47:56 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/573822af-5946-491b-be66-d3c8e8b28a04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454410/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.27638.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652aeffaa29a700213a27d71/reports/c0872fd2-fa3c-450b-a250-3a468079742c/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2462e10-330f-432d-8abe-c9a8616ee809
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325767
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found API chain indicative of debugger detection
Found malware configuration
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-14 19:46:04 UTC
File Type:
PE (Exe)
AV detection:
15 of 22 (68.18%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7ssqwoaa6ss5smw4m5rsegmxrxwxney23fforyfhuqxjee4wofq._file
Verdict:
malicious
Similar samples:
1280f3b0685a9b93304138a84f844b46e9299e692e39cde9c3aff4f66c0a1171
RedLineStealer
2107e84b01653f8e78e3160c29406b50f7ee6e589ee98d4163243d9030fd6405
RedLineStealer
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
RedLineStealer
347f0e9c3b75ed07fe583c1977aee33329700ab45f88d514f77672575a6162e7
RedLineStealer
3566f3d8f60af880aeda5db541d2ae963868362daaaf85f14f7f802a7362e99a
RedLineStealer
3f61b1490dccdd36a2307b6376b6b682b988815bbd7ac5805315ff2f7f6aa649
RedLineStealer
4829c79709a464c0a10d17053c6916df5a0f1f500ebb10af230e35d548ea3265
RedLineStealer
7a5123e6567a7d3389544141839d60714b49e078037c683fdd3a8f8211bff9ce
RedLineStealer
e06732e3ed9b23c2f1c1510c609b12e7613d0aea596391b7e1d674904542a1dc
RedLineStealer
eed45d9e5d96aeb74fe1cc69021711612a369fda742046e59c00a9515de1e242
RedLineStealer
+ 1'102 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build285 infostealer spyware
Link:
https://tria.ge/reports/231014-ygx7padf43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02
MD5 hash:
281cdc7e284b96011624acded1859799
SHA1 hash:
af8e34c4c7708547c8f2d35a13121c7a9d6fcd20
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/51f788c6-412c-4b00-8767-d67e0ebb3f92/
Parent samples :
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SH256 hash:
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
MD5 hash:
e185c5dd5842c1f510b3d170ca7fbd35
SHA1 hash:
f4fc679b178e2efd58ce3cfb508a6991102eabb8
Link:
https://www.unpac.me/results/51f788c6-412c-4b00-8767-d67e0ebb3f92/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fe52859c007/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/
Cape
Cape
https://www.capesandbox.com/analysis/454410/

Comments