MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22
SHA3-384 hash:	b4d6b64a4fce779ea6e0a107e3d44dea84d7210fa21eb67ce3e8c2b67270646339181e02f377604641cf07cc78d38351
SHA1 hash:	0233722366f835b00c82ad7b6eed9323624bf8b3
MD5 hash:	b1efca88444b9184193151dc0033c34c
humanhash:	paris-football-minnesota-arizona
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'616'352 bytes
First seen:	2022-08-22 15:33:17 UTC
Last seen:	2022-08-23 11:52:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	98304:HWakNlq6RVkovgcWQYcqRtLMvXWJ78c1yzvMFeGit5IlK:HIxRVk4YfRtLqnCyzvMItp
Threatray	212 similar samples on MalwareBazaar
TLSH	T14D26027363514091D4E68C318937BEE471F6533B8B41F8FA69D9ADC229236F5E232983
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	d8a68e9e96a296c8 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Panasonic SC-TMAX20 Combo version
Issuer:	Panasonic SC-TMAX20 Combo version
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-08-18T14:34:23Z
Valid to:	2032-08-19T14:34:23Z
Serial number:	1df825145699e9bb49ddb5621d39fbc1
Thumbprint Algorithm:	SHA256
Thumbprint:	e6e8d8f56af6502b36a8edad96253c583e4cf894004cb2aed7705d852c8937e8
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1005487487826788395/1010578138444607609/ssdd.bmp

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-08-22 15:34:07 UTC

Tags:

redline

Link:

https://app.any.run/tasks/e38f6fdf-a7f2-43f7-a7e2-cd3734a37663

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/300305/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.15717.4929.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file

Creating a file in the system32 subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/6303a23a3cbb13868a708df0/reports/68c17e7b-a0da-4740-80da-58328b355785/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b9a50730-ddc9-4149-a31d-18a1423d0569

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1055700

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-08-22 01:34:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mbjl7v7wkoa5fcpmepxnff6cmskjvw7kzdxiifr6vhwadd7rfyra._file

Verdict:

malicious

RedLineStealer

7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6

RedLineStealer

9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79

RedLineStealer

a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec

RedLineStealer

ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645

RedLineStealer

c7ac25825a843f18b18ac2824d143d2c00a032e6f5036da405370ca20b9d877b

RedLineStealer

f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d

RedLineStealer

fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a

RedLineStealer

+ 202 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/220822-szsf9shgdn/

Behaviour

Suspicious behavior: EnumeratesProcesses

RedLine

RedLine payload

Unpacked files

SH256 hash:

b9cb365788ba13df25f85ba8f0af41beb34e191cc72d7abb4a8a1d009db6d5cb

MD5 hash:

8080f827452b6ef5222d02e8331e3913

SHA1 hash:

813a1d3f41c378adcfd6c09b9dff59963e2081e9

Link:

https://www.unpac.me/results/71160205-0fad-4dd3-b6a5-ed946df67609/

SH256 hash:

9acc983aa04637f1b2f3a154de647f1658d7b983d68160e104a60e784fa285d7

MD5 hash:

694a57dc3d045a5ec176db343eba1598

SHA1 hash:

2bccbe55f063cd4dd4a467d5a924f72e0d5768f2

Link:

https://www.unpac.me/results/71160205-0fad-4dd3-b6a5-ed946df67609/

SH256 hash:

6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22

MD5 hash:

b1efca88444b9184193151dc0033c34c

SHA1 hash:

0233722366f835b00c82ad7b6eed9323624bf8b3

Link:

https://www.unpac.me/results/71160205-0fad-4dd3-b6a5-ed946df67609/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6052bfd7f653/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300305/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample