MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c
SHA3-384 hash: 6a9e496f376735b7c3977164ad33e1f5c0683dae93aa4e204752e60b79a530969520b18d85fe61c1cea3b4b5fb95742a
SHA1 hash: e978615b4e4b246c8cbd20dcf8f763704d73db59
MD5 hash: dce62039df2bafb63e0e146ee03f3b33
humanhash: may-seven-ten-ohio
File name:dce62039df2bafb63e0e146ee03f3b33
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:311'296 bytes
First seen:2023-04-05 03:45:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:H7Ueze6DGennAb6WG/sNXaLGrvlYOwXGZD3OsyjCKHMAIGn:FzvDGenntB8dYfcOHemMC
Threatray 3'661 similar samples on MalwareBazaar
TLSH T19064BE173A80CAAACE7954F6A117408023D9DCBED54EE34D6ACC32A35FF1BD6543660B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2b09c8ecebafe6e (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
dce62039df2bafb63e0e146ee03f3b33
Verdict:
Malicious activity
Analysis date:
2023-04-05 03:46:49 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/00252614-c13a-48ce-b3d3-2c10e16ef19f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380178/
Detection(s):
SecuriteInfo.com.Variant.Marsilia.34054.27408.21262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Creating a window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed redline
Link:
https://www.filescan.io/uploads/642ceefb05c72da113b3831e/reports/8b34ddff-2f81-458d-af79-d60707e067c9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c09b7fef-7d13-4d15-8fd8-4bc12340e491
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208556
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-31 15:58:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pi5skkllzflt6fo7gymsxi7djtzzxwn65mrwu56xjk7aq4o3p5oa._file
Verdict:
malicious
Similar samples:
38d5e22812d54ff37736eed314bbf4dbb8ab42a4c0129e164c002571da77d6a3
RedLineStealer
7495bdb0be9555982d0aadde5a02917d5cf41af4ad74a73c617b3d632d0e6d6d
RedLineStealer
781437ade29c756dce9bf998c973a43e41a5657f3aaca693ed212cca7319ddf6
RedLineStealer
815e4f0d10bf4c941206a714024bc6c50b84c944cc04baf3e5ae2eab64499e79
RedLineStealer
a36a1dacd71f1f8583bb0e60d2f92ae84601caefbfc0cc90f0e2b3ac0e9dc3f1
RedLineStealer
a94d1c321b8abad8ed617190fe77623d40928262cdbdb81408caf2d108425f32
RedLineStealer
b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598
RedLineStealer
+ 3'651 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:superstar75737 infostealer spyware
Link:
https://tria.ge/reports/230405-ebmdfsde6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
82.115.223.9:28881
Unpacked files
SH256 hash:
4ddcfea3aba83ced05c3a494fdbeef4dd38479cc9bb30e293d8fa1b49cfe0365
MD5 hash:
f0787f030dae9f0de8db78274e83294b
SHA1 hash:
3fa01d79756852f7e8bc6f6bea617e76ebea27a2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e6a753b9-64b6-4748-a387-ef52a4996610/
SH256 hash:
a68c25553d2c80d00e9d0e9e7f0eb6d41d3e3dd25c1776aa0ce6386cfce1ef88
MD5 hash:
e8d7be839c545cce61f421b2abbf083f
SHA1 hash:
09606ee0918d26f529984d518a0da5f9094b13d9
Link:
https://www.unpac.me/results/e6a753b9-64b6-4748-a387-ef52a4996610/
SH256 hash:
7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c
MD5 hash:
dce62039df2bafb63e0e146ee03f3b33
SHA1 hash:
e978615b4e4b246c8cbd20dcf8f763704d73db59
Link:
https://www.unpac.me/results/e6a753b9-64b6-4748-a387-ef52a4996610/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a3b25296bc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Hunter
Create hunting rule
Author:Potato
Description:Unpacked RedLine Hunter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7a3b25296bc9573f15df36192ba3e34cf39bd9beeb236a77d74abe0871db7f5c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2597921/
Cape
Cape
https://www.capesandbox.com/analysis/380178/

Comments


Avatar
zbet commented on 2023-04-05 03:46:07 UTC

url : hxxp://h168296.srv22.test-hf.su/103.exe