MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48
SHA3-384 hash: 7b0ef8a5aa10d3b0c07b8ee876089f94bf2247d547695d4f8ef9ab794205a2158d5d7326e09373515ad697a6b9948fd7
SHA1 hash: ac0b1640dfe3aa2e6787e92d2d78573b64882226
MD5 hash: 317c1da3d49d534fdde575395da84879
humanhash: hotel-uniform-moon-three
File name:317c1da3d49d534fdde575395da84879
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:502'272 bytes
First seen:2023-10-30 07:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84e31d32a2cb7830e40cfcbea395c7a1 (6 x RedLineStealer)
ssdeep 6144:2SiQd/r1D9jZEDE6Q0CaH4zV0nlFWMlc2ui5MZI26noYfhvIUs:HiQxJ9tAE6nZH4zVAlFTO2uONvnoYZv
Threatray 540 similar samples on MalwareBazaar
TLSH T146B44A95818788B2DE982E7E7DDC3BE04FA32C3419E13EC72EC9F94021F76656361529
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457055/
Detection(s):
SecuriteInfo.com.Trojan.PWS.RedLineNET.6.13666.10250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/653f5a8ebc703e36b0933f83/reports/981b2042-74e9-4e77-9968-79d519ff0157/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46ad3051-443f-44ac-ae3e-dbc1478d846e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334086
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 01:58:54 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojtu5gr4glkuk7ey55zdxe4kxqbjkmu4p3cy7hqhudfr5gldd5ea._file
Verdict:
malicious
Similar samples:
509401c96897e797f40b0251c3344b12f3d81b0f976d7ed38d87b918eeff35a7
RedLineStealer
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab
RedLineStealer
69b3cec83a51a5142d2f03856347bfe454e79c785e0b6425c0bcd632edf94a3f
RedLineStealer
9b05dd809ce00e1f1e9c79cd9216de50322ec66df8b3f50ce3e36b31266439c3
RedLineStealer
a5ce453acbb267f103b58c5ca71458e2f803376a6cd38f29f91044be00ab669d
RedLineStealer
b3ed17e2febaa1202df3dcefaad1a086155d0008f9ee5037b6804889997078b1
RedLineStealer
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
RedLineStealer
d66922b28048229f0d1700f944e7b94e282f99d838524e6a8f85f6bdee8c3424
RedLineStealer
e0f8898a3b8a28586efe65e9afa0c08e252d3b41f1380ebbb93d3226dc5eae34
RedLineStealer
+ 530 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231030-h9hppsdd65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
5245e33618739f3659bf5152100f01a51ca8ecd108fec5cc9828cc50491fd314
MD5 hash:
aaadabe7997187b9189ece36a1e4a570
SHA1 hash:
4dca92da029dda8177e8ac95d8af9ebdd4891cbd
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a9ed8afb-b61f-4958-a24c-b49ee6188137/
Parent samples :
8a0ce1dce56b91f1612ca22b2469fab9d34cd18313f67b960a34160e06f7a51b
04ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0
72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48
7ffa3cf71ff6e8aec4029586dcca55a61edcd799212eb14b7a18073fea4e8c5d
SH256 hash:
72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48
MD5 hash:
317c1da3d49d534fdde575395da84879
SHA1 hash:
ac0b1640dfe3aa2e6787e92d2d78573b64882226
Link:
https://www.unpac.me/results/a9ed8afb-b61f-4958-a24c-b49ee6188137/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 72674e9a3c32d5457c98ef723b938abc0295329c7ec58f9e07a0cb1e99631f48

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726601/
Cape
Cape
https://www.capesandbox.com/analysis/457055/

Comments