MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9
SHA3-384 hash: 5fb025a866f49758c1be9d3cc23e5045bcfe47070941c9fc40bb4fa39f4ee6c532667056a70a08cada364595d15157ca
SHA1 hash: 4ba42fe57144fd58e4b39348b9ef9a561c02a47f
MD5 hash: c49d6771cea35b0b34cc842b4b6704ef
humanhash: autumn-network-sixteen-chicken
File name:CopyOfPayment2243G772GD77GD7737763BHHGSDGHUYE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:657'408 bytes
First seen:2023-01-27 14:00:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tscBFjCfuXdm4S4w1gzs4sKhgNUDAaB9MEMMgvDDlXwRcQQwzOqO2PMI:DXYwwH0RKD5XwRcQ9zLO
Threatray 6'442 similar samples on MalwareBazaar
TLSH T10EE423116EB85365C85D09F88DA81D0463F6AE95BC17C7163CE270CFA976BE2001BF9B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.220.87.3:1468

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CopyOfPayment2243G772GD77GD7737763BHHGSDGHUYE.exe
Verdict:
Malicious activity
Analysis date:
2023-01-27 14:01:48 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/69764097-7006-4dbc-b46b-eb45893aa193

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357404/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d3d9222d4f6d560e2345a2/reports/f4137c9e-599a-4a6f-9ed9-81200b132ab8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dd8fa3a-63ef-4922-9a0d-91c431ab6a36
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160239
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 14:01:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnzdabb3gnhg3qcv4v2oqe2jf5dsbazbfrvfegf46o62oiuvhx4q._file
Verdict:
malicious
Similar samples:
56f63b02b2937f3a3cddae702465c1fb1f8f926a09a7ec6fe00a43ce447cb24b
RedLineStealer
63ecac48461e7409c5de9fa605737de278bf2411d59964d24f9da85465c83011
RedLineStealer
9b610ce7c1a9e3b0919a515ca56a58b2d1a2fc5950f367e9378fe1460bafcff6
RedLineStealer
a47b82f49888184f9b3ccdcd116b7e0fa1e313fb03c31825b38571cd360d732c
RedLineStealer
c2f91a91c984d5e46cbf5285781ffbe64f7e3326f88ffc9b1415bd956859c8c7
RedLineStealer
e9bd723975e0a440e52c11f8df79d37e0607bd20cac3daff0661c4bb0ab7f129
RedLineStealer
+ 6'432 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/230127-rbjnsabd99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
SH256 hash:
cd2902e996a3ce1c75218bba99e035152a25fc3aa2437e7835497e80c4116e60
MD5 hash:
4e6863fc6af205ed3a51d898bcc45904
SHA1 hash:
6ce527a76ba98d44071320bade164bbfe5789eb4
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
SH256 hash:
ec553eb6053c351355d85cded34f599b15739816d688e74b077f82d85059d2c6
MD5 hash:
410c3391e1b749e9c336ec9c35e45935
SHA1 hash:
619132eabb8fc1e9d8de3ab3ce225288388e2380
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
Parent samples :
637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9
b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d
SH256 hash:
6ad70040dc0f8fcb4d84be68a29305056da6b8b2f5fdc148303b8a32a6edae6b
MD5 hash:
1993dddbe62c47d2b5b57e587d9fb87e
SHA1 hash:
43b5e289f8eacb7685c29a105c0336013de118a1
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
SH256 hash:
5410598c409e698c61ae0e5611152e0d5f9311c256f4d51e3378a38fb410a59e
MD5 hash:
4c6d9a29b33a5bf900db7ee115fd1597
SHA1 hash:
1c85f505c4c14a4c7ec079661873e91a35c88abc
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
SH256 hash:
637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9
MD5 hash:
c49d6771cea35b0b34cc842b4b6704ef
SHA1 hash:
4ba42fe57144fd58e4b39348b9ef9a561c02a47f
Link:
https://www.unpac.me/results/7ea7424c-18a1-4966-83d4-76a0c036dbd0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/637230043b33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357404/

Comments