MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a
SHA3-384 hash: fe79e1d36b370365535e3d15fe654c0b11d051b2afe78ee9ad604384b6d910108c6838bd546d54acbf26984cd46bf039
SHA1 hash: 1175938b92b11009d2b8e6dc34403d869da82fbe
MD5 hash: 1fd81be6b3c441cea94d8e55bb4ae0d8
humanhash: oranges-pasta-nitrogen-pizza
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'722'176 bytes
First seen:2022-02-09 17:30:08 UTC
Last seen:2022-02-10 06:43:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c731c5b9001d2535d059651bc782194 (12 x RedLineStealer, 1 x Formbook)
ssdeep 98304:m1lxxSMKBRoYyC45K3obEpVvazck8GqMl5eZmdtVDdas/H5qJq0mOsE:U3SDBWT5Qna4k8meZmdt/a0ZLOJ
Threatray 1'804 similar samples on MalwareBazaar
TLSH T1342633E58AED1D53CA8FB778591A2E1382EE1E7081C1948A4B417C34F3FB897E1096D7
File icon (PE):PE icon
dhash icon 8ab2c0c4d0c0b282 (9 x RedLineStealer, 2 x AsyncRAT)
Reporter adm1n_usa32
Tags:exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2022-02-09 17:29:14 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/8cfe9d13-8238-4822-93d9-43439de79ef1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239774/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed yakes
Link:
https://www.filescan.io/uploads/6203fa60942573cad44c1c95/reports/52859799-6797-4d2d-8e4f-1d72089a88fd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77d75df4-67a6-4ef7-8a24-61569826b02a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937106
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 17:23:49 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pefxlyovbf4oigxfpkdqbcz5dernh36rlesllgrkbft7fgv5vofa._file
Verdict:
malicious
Similar samples:
21054e559ffbfd37f07ce33085fb9c4ed8e9583f66aaee1f68b51ea01ab2e757
RedLineStealer
4ed1d3fdded148140258ad401ec1ff099bdcf3e3270d7deaba4a63b762e3e863
RedLineStealer
70862f087542d47368ffb6d02a72c2353ab863af11d53c94f2fb81a9e1af2dd9
RedLineStealer
752e7330e3a78a5f97d052bbaad3b72803b4f9d21fe3b90f6619422dbcfe6fac
RedLineStealer
96ed2610e94b19233c22c2341bb36f340298d76bb36bf658a0d853b91e1acc4e
RedLineStealer
9ba99ef6e07d224b950b451c6e414e9c12ef7429d8e59d5cd841ffbc3c5369ec
RedLineStealer
a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4
RedLineStealer
b17e3d464b920c10cb0ceeca0ae9eed030863ddc4233d03ab1ab0f01b58bb92b
RedLineStealer
ec05558f0ce0cba4365d379c300561112878e5e71bdb0bb8cae1335594187686
RedLineStealer
ee31b5f97e35ab401e74ad66f1d39479fb6bdefa3018dee605cfc6bd76bc1c46
RedLineStealer
+ 1'794 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220209-v3qsysbcdj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
613809c5dafe3aa517a31ab36f68ed0c5574cb58a261f76f4240d355bf26739b
MD5 hash:
68595a82248930ec61d1ca5b2e15d066
SHA1 hash:
11bdc00394271e9c7f4076ec39e8e6e93c137513
Link:
https://www.unpac.me/results/17f6c502-ca5f-44c9-9efd-937b8c8613a3/
SH256 hash:
790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a
MD5 hash:
1fd81be6b3c441cea94d8e55bb4ae0d8
SHA1 hash:
1175938b92b11009d2b8e6dc34403d869da82fbe
Link:
https://www.unpac.me/results/17f6c502-ca5f-44c9-9efd-937b8c8613a3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/790b75e1d509/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239774/

Comments