MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
SHA3-384 hash: b94333c334c0dc715027228c9a3b3b3877dcc09deabfe99c74e7417a03f61186e2e5626be59a5c280fac678f612b3473
SHA1 hash: 4617a0506a02830e7d6f34ab6e1d6dad2a989476
MD5 hash: 933d69aa61cd10c9c50b342cd8b08dec
humanhash: item-mockingbird-juliet-jupiter
File name:SecuriteInfo.com.Win32.PWSX-gen.7845.20802
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:516'680 bytes
First seen:2023-10-21 02:36:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb8b51bfd9f71c7452726205f579a090 (11 x RedLineStealer)
ssdeep 12288:iZfdZ5riZ3TJhc5qf5IsEV1JtYbXwrS+GzZFVy9pUcuP+VRRL:YbrSk5rdV1sjAL
Threatray 395 similar samples on MalwareBazaar
TLSH T1CBB46D33DC4861E1D2D71C7994998D6558F9BA6123F16CE31E6C0B4FCA363D3EE2A224
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.7845.20802
Verdict:
Malicious activity
Analysis date:
2023-10-21 02:37:19 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/56cc23ae-4296-44c1-b10a-cb1b5128d8a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7845.20802.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/6533394e5f371a3fc85dcbb9/reports/41e38f98-65b9-41a3-9b08-c47d3b0a0971/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c00211d-f243-4aad-bcd0-1839b722a1f2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329575
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 01:09:41 UTC
File Type:
PE (Exe)
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2bsttsfxkwsbpi3ptu363tpdvxkle2zaqjqu4fcovqx6urp4i4a._file
Verdict:
malicious
Similar samples:
31816a58b810162ddafb79da75983cae35195f9301ecaee35b75dba89f64ed1e
RedLineStealer
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab
RedLineStealer
90e574804204b26a7a56a54d56f44660131015bd4f4dbd58e42717634cc442ae
RedLineStealer
9481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
RedLineStealer
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
RedLineStealer
9b05dd809ce00e1f1e9c79cd9216de50322ec66df8b3f50ce3e36b31266439c3
RedLineStealer
af54a35dd3ce3d2584bcc29d858664b3fc7304f0996d7bf07f6ae95e75c5e698
RedLineStealer
b3ed17e2febaa1202df3dcefaad1a086155d0008f9ee5037b6804889997078b1
RedLineStealer
d66922b28048229f0d1700f944e7b94e282f99d838524e6a8f85f6bdee8c3424
RedLineStealer
e08da1e1ee8b136cb4bd34f7f014816d628e2f5212077112a1a4c9bd3a2078cd
RedLineStealer
+ 385 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231021-c35yrscg4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
90a9a9849f92ea3833f8255ee4e5e99a3c7ab0be5096f67a2b8432afade7e901
MD5 hash:
143c57a2fbf1ccc1766679f4c26ef58d
SHA1 hash:
2de3e21b3a02a8acdd003a470b6b0c9249dfb528
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d7966c97-a8bb-4d01-a6bc-bd23752001a8/
Parent samples :
4764b12d77cf75edd197f0b9de892a39a4024d6dd595f60b50afbf72850f7306
b3ed17e2febaa1202df3dcefaad1a086155d0008f9ee5037b6804889997078b1
cc7bcdfee502f5cc0c042b3a97ef737afa5cccb46a2dadaa02bcf74faf6fd8ac
e298f86eab0e2f44603b7640af6f89269dd2e00115e778f3d2e6bddde0a5f39c
05005e88eefea5ab3e7cbd83ae7652bd9252412cfe1dcd4cf3243a84110444e7
e08da1e1ee8b136cb4bd34f7f014816d628e2f5212077112a1a4c9bd3a2078cd
9481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
af54a35dd3ce3d2584bcc29d858664b3fc7304f0996d7bf07f6ae95e75c5e698
7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
bd40ae0f9a2ee01b7156fb13219c0163738c64084eb5eba7ad69346918876c48
514e2e15b07d9a29270781043a5aea8eb289fcf952355972c18b1eb256cadbb6
7c7d8541766ddad17d9735ed7183d3d7e3433ea580258ed89f465fc8e91d3b82
45b6def20feedd1394fbf0c6c8884932836b315bd8acf4c03808f293628a1ca0
677aea100247ff0f83128c3355de1cfbf24d176ba28d27b489e9b07ff17e65d1
564b0cb8a13964bc87dff7d5fb34b7d7dccf92ea2f89d3b9bb84fb13d5a2850c
a3ec0982ce08855c2c47a8246d2cd18bba731c3318dde3557c48677487735125
ebdf1ba0807f3f5053830d8c3cf663cfd0d4c01b30c7b3bb01169f4a89d6a7b2
5594aee8f2d40cc0a24ee191010f823be73524e947ffd2b7f6e3e37b18fc9220
f15baee0f06e5af8b5895b57578c1c15649d95ade9e80d6a06c0ebdc57159e59
84468bfdcb264e3eca47a0c5a803fbd5156a75166b40bba97e55c9282f42988e
f9056423f67ae129475439f61196d0984078f779d819b2af21c33ca45aea3fa9
90522e6a880f6a97719035e3945da1c0c0384f154cf631732ea16a3a9f827b7c
5d50a1577ee0791e7aba6bf8e679b4795d533a3daa54177ce8a0ec25cc8d3df2
41352e9771b906b5913a9e6a9ecd3fe423bc3e91993a5373a67f7226a6eb6abf
117332feb820bbd8d10177720dae9736c7f62dd2fcc5b9518eed427f90af6524
3fadc1de1c8c15a141869be86b1afc68624dfec81775878cd784e59a108a071e
8bf4003e54f6b55b62e429cf90e78491c109497a50c5d4e6a8afd07f0600ba43
7ab74f07884f3083ebf82cb7c516f9f8a9ffb5e4b6d8b160f1be4722764bf8d5
e658a5b736828e06a859fe0cd526310e7b89a2ede6f81929249d91521343505f
511200316cb76da22104be6e9fa680130d547e83b2b00c062da4719f441df3f6
a644828e65e177886a9afc6e25e697b972a2dc92ec53762467a0628c214e6d54
e7265bde62bf6e3ac1823bdca2a6cadd062331558ee13465dc4813ebe47860a2
3f9c5c35a9b26d717aaebefd7b8eb13cea876b7f561c247a49715307faa47ca4
e0f8898a3b8a28586efe65e9afa0c08e252d3b41f1380ebbb93d3226dc5eae34
886453383c7e3a0b520ca655c4f8050c3843bd8d62c5d8a97f9d0dc783b36922
90f8d3b0a8ab79a3c28d287141d6c9fc433bd076906a75098cf2ef9efd339139
8ef6983e75e758988bc62f41114df351aeaae8312103e2bfb3d828a129bbceb4
84e902f84f695d1c9c627dcdd8ba449e5b330d04b578c1698c2d7f636a1b6e59
3149863855e7996faceab6f072aa7f568859fdc81e1ce2838ad465d858eef6ee
19a5970b745f76201f5d67ea465fb8256defa0264337f08713bdfd2818f9c2b7
5066186c53f71a9bfddbcba3813e209f31a42a2b92d93a2b1dcf0599ef98f357
acde06290e2fe885833a64a603eb08efe77fd83f2c9f086211b40a10287e18a0
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
SH256 hash:
7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
MD5 hash:
933d69aa61cd10c9c50b342cd8b08dec
SHA1 hash:
4617a0506a02830e7d6f34ab6e1d6dad2a989476
Link:
https://www.unpac.me/results/d7966c97-a8bb-4d01-a6bc-bd23752001a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.07
Link:
https://yomi.yoroi.company/submissions/7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2722687/
  
Delivery method
Distributed via web download

Comments