MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46
SHA3-384 hash: 21b8bda96d12a9e417fa83babd92407ab8c86c9df4812e267bf687a016ea0cd737c38886baa1d1ec9c57edb3ad6c747a
SHA1 hash: 0f0c1aa695796b6e1ec328726d8c4b722d7d77e3
MD5 hash: 72a54447de39257bb10e7117d2209b08
humanhash: mockingbird-floor-double-berlin
File name:hotel_video_confirmation.mp4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'668'104 bytes
First seen:2023-11-13 05:38:32 UTC
Last seen:2023-11-13 07:29:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 393216:zz13/19ICVjz44qxB9JnLDXeKbfWRYxKjIGG:zt/ICFC5LDMKYkGG
Threatray 948 similar samples on MalwareBazaar
TLSH T140D6E02CF69DFDD1F53C82B5D9E1C4E8A071686702D1EA7368F4984E1B112AC85CEF4A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 74e0dcdcdcccccd4 (4 x RedLineStealer, 2 x Quakbot)
Reporter JAMESWT_WT
Tags:bookinggoogledrive exe mega RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.IL.MSILZilla.4187.29358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/6551b6773b0c3d662609771e/reports/405f46cb-f823-4b76-8c63-d627000ef363/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46
Result
Verdict:
MALICIOUS
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a492accd-bab9-46d8-8932-1ca002e71104
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1341482
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrvygld3lrjelt7ozztvm7ekmga6irmv4vh4ryum42vfw42q5jda._file
Verdict:
malicious
Similar samples:
2ad246c95f79a3f21623a89e7de935f8ec7e42c6875a15b30e219a465f4e4907
RedLineStealer
4552ab09da79c87c738ca22f1c929de0fd1cec18ca96554f0c7623736a5bee49
RedLineStealer
924dbd780a4134731c44e5444186fe727245f9ebb5ed78c9f141c4ba05cd46b6
RedLineStealer
9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
RedLineStealer
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
RedLineStealer
a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
RedLineStealer
b6b0d6b91bb76f5a9b270d15326ddb9fe5dd2be82e89f095e95be2ddc9b925f0
RedLineStealer
df31be81823df03c434880f9d7bc4204ba78c8987d2fc6de819db397a0e390d3
RedLineStealer
+ 938 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/231113-gcar6aaa6y/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Unpacked files
SH256 hash:
640880c7064a07f32fce3a96e17751eb30a1fd0d83dc1f074323d9d9c9374917
MD5 hash:
4beed2e9a38cd201cc20fbe9c5b2d05a
SHA1 hash:
e00759c6699317a8812fe69648bda3451a2a687c
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
SH256 hash:
137958f4a2317dca637b5298773594ece0dce793fd39ed9993eb2b7add6d311a
MD5 hash:
ae06c18ae45fc3470ac104a2c37ae22d
SHA1 hash:
7c3be80477352755d52ce63c552269c34293ac9a
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
SH256 hash:
b643417f916c818e94238efabd5ca7226ff7970ab5c7732ed568c104aee343df
MD5 hash:
0869b29d9328adf97b0ffcb23c2a9458
SHA1 hash:
7ba2ff21d5c0071ab5cd6fcbf5c56862e3931a5a
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
SH256 hash:
fc1b6ea2a378100d9b7baef74f5c9e4fcfdbc23c32b0519e0fecd3fe95476b07
MD5 hash:
2ae7368346432e10490dd9d6187b7063
SHA1 hash:
2e5781b23596cdcafcecee0875693fad54003480
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
SH256 hash:
39c95b4d3a0b0992aa6c826412769cdc7ccad0fb8b470a84e9b515c1afe0ec8d
MD5 hash:
43d59b5767b8ef86e11f1c6646ba594a
SHA1 hash:
0f23fd8388fdaf4e5a058332c153201eae4f3475
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
SH256 hash:
646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46
MD5 hash:
72a54447de39257bb10e7117d2209b08
SHA1 hash:
0f0c1aa695796b6e1ec328726d8c4b722d7d77e3
Link:
https://www.unpac.me/results/4960a4e9-7ab0-43f9-8494-815612093987/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments