MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 2 File information Comments

SHA256 hash:	74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869
SHA3-384 hash:	25a39958bf91f3c7c2c2ce2da12302fc1eda65ae961843a4921139e30c75642a61182d3e4d58f6336a363246b94b2fae
SHA1 hash:	1a6e3b50bc7f410408e506e6452dec5bdaa3b5eb
MD5 hash:	100584bc430ab510defe99cbdc02a017
humanhash:	music-butter-vegan-paris
File name:	1a6e3b50bc7f410408e506e6452dec5bdaa3b5eb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	425'472 bytes
First seen:	2024-11-11 16:49:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0301c97692eb66d40eb60ddb80bc0b65 (11 x RedLineStealer, 3 x Rhadamanthys, 1 x Amadey)
ssdeep	6144:SlTbcBgnfPGIgAce1xDFrIWjuTVCBK+ww6xXwvRt6MdNU1:0TASfPGC9DrIPVQ3wwOXwvvdN
TLSH	T149946C53A2E13D44EA268BBA9F1FC6EC770DF2A08F49376D12199E1F04B1172D263B51
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	0018988080888280 (4 x RedLineStealer)
Reporter	NDA0E
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

e8258e7f5dd4b0774a375159c51c27e745c08e7c36c6effef50d28dc20e6419f

Verdict:

Malicious activity

Analysis date:

2024-11-11 09:54:26 UTC

Tags:

amadey botnet stealer confuser netreactor

Link:

https://app.any.run/tasks/f1f677a6-e41b-4f43-8d8f-61b66a0ea93f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67323618af2d3dc89feecb0e

Tags:

virus gates agent

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Connection attempt to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/673235c9058cd3deb69e8121/reports/220555ba-cc68-4f96-b544-d41384f2ca7b/overview

Verdict:

Malicious

Labled as:

Exploit.Convagent

Link:

https://www.hybrid-analysis.com/sample/74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd7ebd91-ac9b-495d-a1d3-529ff11a4101

Result

Threat name:

PureLog Stealer, RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1553784

Signature

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2024-11-11 09:54:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=os425pmovryrw6zaynvk5eu4j4c7knsfk3eh5cob5mw2ah3vbbuq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

unknown_loader_001

Similar samples:

error

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer

Link:

https://tria.ge/reports/241111-vb93hssbne/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

RedLine

RedLine payload

Redline family

Verdict:

Malicious

Tags:

Win.Packer.pkr_ce1a-9980177-0

YARA:

n/a

Link:

https://app.threat.zone/submission/f09e9ac7-948a-426b-94da-b9ecf28a6fb2

Unpacked files

SH256 hash:

25469249bc6c89bd4a819cb82a26488461475444a581cac01383372e68b47470

MD5 hash:

49180d17bed0fa3047c03dcbe935579b

SHA1 hash:

c3a3e962862c49f0df19e03a776e5936dc1308c9

Detections:

redline

MetaStealer

MALWARE_Win_RedLine

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

MALWARE_Win_MetaStealer

INDICATOR_EXE_Packed_ConfuserEx

Link:

https://www.unpac.me/results/99b09040-2422-4d7f-9f0c-60951f0b795e/

Parent samples :

6b4ef59e226d56965d9699f071d96537ff52522c03bdd8b98ee5bd3bfe4ffd69
74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869
b904a34121c8a3f0d8fac98ce0fe87cadd574d50d8d26696ddc22531544e82ef
de4758db460c60da25966bca5e400accadd7e9d2f6106c1121127321d8699efe
7b869c28b17af53b6f8e43e156575c8079ad9cf164bb68a2c978ef768049bb16
8ed02c3ea8ae0092c9b4647702b02427d375ce7af85b589d6df64042dab76a6d
60aca841c0f1ffb29a208982c92d440cc40096466911628d7eb998902dc55527

SH256 hash:

3323bc351c9f930cc8b60bd7ecc2ad059207a331ae982412502412b648362d0f

MD5 hash:

9831484fcd1f515d4d84f5caf1ef887c

SHA1 hash:

b330876a2d7b091b8452d068f3244b279f5c4a76

Detections:

redline

MetaStealer

MALWARE_Win_RedLine

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

MALWARE_Win_MetaStealer

INDICATOR_EXE_Packed_ConfuserEx

RedLine_Campaign_June2021

Link:

https://www.unpac.me/results/99b09040-2422-4d7f-9f0c-60951f0b795e/

Parent samples :

74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869
b904a34121c8a3f0d8fac98ce0fe87cadd574d50d8d26696ddc22531544e82ef
8ed02c3ea8ae0092c9b4647702b02427d375ce7af85b589d6df64042dab76a6d
60aca841c0f1ffb29a208982c92d440cc40096466911628d7eb998902dc55527

SH256 hash:

f662fedca5ee7969e3cf92e4ec2484dbb6f1ad1791a5f122855a39c20a446693

MD5 hash:

7d43405cf2cda076e5a1a4e430173d2e

SHA1 hash:

79237c04efe8afb26c7b2a49eb5aaa06d1182f72

Detections:

win_samsam_auto

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

Link:

https://www.unpac.me/results/99b09040-2422-4d7f-9f0c-60951f0b795e/

Parent samples :

SH256 hash:

74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869

MD5 hash:

100584bc430ab510defe99cbdc02a017

SHA1 hash:

1a6e3b50bc7f410408e506e6452dec5bdaa3b5eb

Link:

https://www.unpac.me/results/99b09040-2422-4d7f-9f0c-60951f0b795e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/74b9aebd8eac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/74b9aebd8eac711b7b20c36aae929c4f05f5364556c87e89c1eb2da01f750869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindNextVolumeW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AddConsoleAliasW KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCursorInfo KERNEL32.dll::GetConsoleAliasesA KERNEL32.dll::GetConsoleTitleA KERNEL32.dll::GetConsoleAliasExesW KERNEL32.dll::GetConsoleFontSize KERNEL32.dll::GetConsoleTitleW KERNEL32.dll::GetConsoleAliasA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW KERNEL32.dll::QueryDosDeviceA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample