MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f
SHA3-384 hash: ea86e306ba061fffa331cfb2e158f9939bcc760b212c5ecea62fc3ae2c7d17390f89cd8472b629233cfd012d5f3d80c2
SHA1 hash: 353f69426be7011ce67ea03a8c6f4ae0d1354f79
MD5 hash: f2843d0ece5de99b19dc6ad56bde6ed3
humanhash: may-cup-lake-maine
File name:SecuriteInfo.com.Win32.PWSX-gen.31026.20526
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:245'248 bytes
First seen:2023-08-27 14:33:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f3c9e4f5117bac247a9fa50ea51aa9b3 (1 x RedLineStealer)
ssdeep 3072:lolLvssSrkIyfmgK3cy0Q9WVoaae81CbuUN0BPkf11gr42xfsjwsfuB/:yBssSro4MpQXACn0nisjvfuB
Threatray 1'802 similar samples on MalwareBazaar
TLSH T1AE3429BE54E06860EC81F2FB0351BF6CE57638169AE0933D137A22E6726E5C0D778671
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.31026.20526
Verdict:
Malicious activity
Analysis date:
2023-08-27 14:36:37 UTC
Tags:
redline
Link:
https://app.any.run/tasks/c1bc3b9a-0c8b-4885-9c08-e8ca20731cca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31026.20526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108939/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64eb5edb7444d2eb09f24054/reports/5be5d57d-7417-4c19-88e2-c27284d590e1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WeeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52bbb626-ce05-4f7b-8042-2bd7b2111cb0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1298253
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-08-27 14:24:08 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sa6w4tl7crvaqst5ptwg5wrncdx26iltkg5xh7qlpj4fv76f247q._file
Verdict:
malicious
Similar samples:
3d9ff047118451feee7311190c00d05d95209c6b1e707ce18abe065017b845b8
RedLineStealer
622f16562811a002395e2139567050430b62bd09ca5cd5967a129f6594e76875
RedLineStealer
6dd1a8408e598604e40099415b555bb490cef19c9c096944f693bc0bea46a099
RedLineStealer
73a232f3b97846b0cda9708eb7781ca10f00c32c7137b97e84be70ce9f3c750a
RedLineStealer
7b40c4128a50bad16a3eaff13a76098cdb3f97cd9e5375df3473c173adbf37da
RedLineStealer
aa46c78978d744edae1170acdc7a518ff42bb02eba66a52724d46226b15c4633
RedLineStealer
e6dc45b261c3eb6b27fc2258f74d69bad8cf31059f051636f36d7352bf6b0c98
RedLineStealer
f3d9b0ff14159268907bd176413b3ffac1fd245debb622be0d24e019444aa36c
RedLineStealer
f432f9cb89ee9ea1704bf3d33c85f19483a4258f4277b126201930dff9d119f5
RedLineStealer
feb7a9aaa07a32e7d6431a818eda93f485ed2c382a65d38a15416598d1791260
RedLineStealer
+ 1'792 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1smokiez_build brand:microsoft infostealer phishing spyware stealer
Link:
https://tria.ge/reports/230827-rxelyscb4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Detected potential entity reuse from brand microsoft.
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
194.169.175.232:45450
Unpacked files
SH256 hash:
8e8e0373770eca3d6a83754b2b03a2aa4fb656da0fdf9ca7a22cec635e6456e6
MD5 hash:
95648a7a02ef3b1d3d4b75ec95321ae7
SHA1 hash:
a59f6b324262cbb6a506e6ba83070111f9ddc13d
Link:
https://www.unpac.me/results/60bb1742-f820-4b49-886d-2221db9e31b6/
SH256 hash:
8527c6bd10918acad665a69a4bee768a93f8bd4a6e5df9524db8ccb15908cd6d
MD5 hash:
a92d1176998ed38971164677ba713e01
SHA1 hash:
03cc7779822fc2daaa2912b69be4d39bcac120aa
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/60bb1742-f820-4b49-886d-2221db9e31b6/
Parent samples :
8222ee950ed5797be9775e4f663b77bcfd2cd167e3c507a64728f4caf01158cc
eb3d0d631eba885dfd0f9125726dc5722d778e84ff84674799f37e640ac7916f
7ccebb35a6047b4f54b86986f3c18a6676a242e6eb11ebba584dace0a1f18f7e
903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f
88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b
f45b35a54f3e388a312240466400b90ecde40f1e5b13aed562cee585cedc0273
SH256 hash:
903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f
MD5 hash:
f2843d0ece5de99b19dc6ad56bde6ed3
SHA1 hash:
353f69426be7011ce67ea03a8c6f4ae0d1354f79
Link:
https://www.unpac.me/results/60bb1742-f820-4b49-886d-2221db9e31b6/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/903d6e4d7f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2706937/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2707433/

Comments