MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
SHA3-384 hash: 6921591427621885b229152fa8f8d888d3bb3f00d6e310bd9eb14b41211eed6a290f86f1bf1e2b8f8e209a5127767188
SHA1 hash: ca48d6c3dd2a2887dcd203c6207a024396cc5039
MD5 hash: 458aeb444a66350118741f27c1f40bf4
humanhash: green-quebec-skylark-tennis
File name:458aeb444a66350118741f27c1f40bf4
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:666'112 bytes
First seen:2023-09-10 13:37:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:hMrDy90Y5z/zy4NBqp6s3tvim9f5b2pzNr+cG/AsitfYco:6yZpLyOBA6kvim9R2phL1fu
Threatray 2'929 similar samples on MalwareBazaar
TLSH T1A9E41216ABD89477E8B92B705CF64187073B7D22AA7883672B459C5E0CB33D0A43536F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
458aeb444a66350118741f27c1f40bf4
Verdict:
Malicious activity
Analysis date:
2023-09-10 13:37:57 UTC
Tags:
stealc stealer redline
Link:
https://app.any.run/tasks/3595d7bc-217b-475c-859d-76cb6c486e9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447729/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/754e42cd-e1fa-49ad-a862-f2abe0f045ae
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306854
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306854 Sample: bj7ZC2PVP1.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 8 bj7ZC2PVP1.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 file4 41 C:\Users\user\AppData\Local\...\y7435095.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\p9741728.exe, PE32 8->43 dropped 15 y7435095.exe 1 4 8->15         started        process5 file6 45 C:\Users\user\AppData\Local\...\y1486438.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\...\o3071913.exe, PE32 15->47 dropped 53 Antivirus detection for dropped file 15->53 55 Machine Learning detection for dropped file 15->55 19 y1486438.exe 1 4 15->19         started        23 o3071913.exe 1 15->23         started        signatures7 process8 file9 37 C:\Users\user\AppData\Local\...\n5564874.exe, PE32 19->37 dropped 39 C:\Users\user\AppData\Local\...\m8040720.exe, PE32 19->39 dropped 65 Antivirus detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 25 n5564874.exe 4 19->25         started        29 m8040720.exe 13 19->29         started        69 Contains functionality to inject code into remote processes 23->69 71 Writes to foreign memory regions 23->71 73 Allocates memory in foreign processes 23->73 75 Injects a PE file into a foreign processes 23->75 31 WerFault.exe 21 9 23->31         started        33 AppLaunch.exe 12 23->33         started        35 conhost.exe 23->35         started        signatures10 process11 dnsIp12 49 77.91.124.82, 19071, 49716 ECOTEL-ASRU Russian Federation 25->49 77 Antivirus detection for dropped file 25->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->79 81 Machine Learning detection for dropped file 25->81 83 2 other signatures 25->83 51 5.42.92.211, 49715, 49720, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 29->51 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 13:38:06 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ouucgu4nurebuxabrmag4rldfowhsdpyrx3vnrvfikizqhmvhgbq._file
Verdict:
malicious
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
RedLineStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
RedLineStealer
3bb34b2c42f2940f7ddca6380789f30aad86375c842b634801c1fca174ea5f7c
RedLineStealer
51e8477d5aff6bf17a1f26167945b8757f000764fd76ac9044219e3e9654972f
RedLineStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
RedLineStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
RedLineStealer
7901ae7b82aa0a020e234788d14d2a85a984054fb31050f92f614a2b5f4351c7
RedLineStealer
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
RedLineStealer
a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
RedLineStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
RedLineStealer
+ 2'919 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:virad infostealer persistence
Link:
https://tria.ge/reports/230910-qxc8fshd72/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.124.82:19071
Unpacked files
SH256 hash:
dbaf00646b7630bb7939d82ceacbb65f270d9eccb62927e66590b63e855f1e84
MD5 hash:
62ed4a23765dc876563ca4ec96a06596
SHA1 hash:
e5fcea229bfb10f19524dbedf8377bff123a382c
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
SH256 hash:
480777c8464b8518f828fee5835cf612218d1fb6c6c8df9967fa24be623c8a58
MD5 hash:
3986b10439f8b6174f1801082b7f7f55
SHA1 hash:
524fec53cd889e0ca4d918830da3503d1223e137
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
SH256 hash:
d6ab147e4018b7f07c1da823960fca48665c71b70bf5805b641ed1533c84687d
MD5 hash:
fddfa6233438e202ce966c5b5484397b
SHA1 hash:
f6a539fee6d7b19b588007c0df133ff72e778bc5
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
SH256 hash:
f7abcb1234f29423664862b279b57d1d160ae50c749c3fb6dea786e8ec8bc7ce
MD5 hash:
2736f52e6fb1261ee6dfc0294ecd4f20
SHA1 hash:
69de515236b74fc26d96fd5d14e37b19d3ca6bc9
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
SH256 hash:
aab0b08dcdf8039c82a1903afdd5890d698a8359339f5d7826377d1aa3fe5216
MD5 hash:
e12dc097f9d010703449e36ca1020960
SHA1 hash:
bb1f5217fd001f2f75df5b4648dd04bca4e53068
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
SH256 hash:
752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
MD5 hash:
458aeb444a66350118741f27c1f40bf4
SHA1 hash:
ca48d6c3dd2a2887dcd203c6207a024396cc5039
Link:
https://www.unpac.me/results/96a09d52-ed00-4db7-9b47-0ed8a1311828/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/752823538da4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710991/
Cape
Cape
https://www.capesandbox.com/analysis/447729/

Comments


Avatar
zbet commented on 2023-09-10 13:37:19 UTC

url : hxxp://77.91.124.231/new/fotod345.exe