MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79
SHA3-384 hash:	6eaf6a2614c661d2cca9e0400c243ee243358595b0a2a0670f4d6fc3e739f867f62d76a945709ae93ea02924d24b8413
SHA1 hash:	ae7c12d6de1dc97973d0c23eec9f20ba6d04ec84
MD5 hash:	1a90749990cd53ca3fced5acfaeefb1a
humanhash:	monkey-ink-pizza-batman
File name:	1a90749990cd53ca3fced5acfaeefb1a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'519'256 bytes
First seen:	2023-02-15 15:32:39 UTC
Last seen:	2023-02-15 17:34:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:KhefaqG4yPa3Pj67yz8t2+1ZpyN2uVA4yOQ6jEu06Fy2Mxzo3:0eSqG4yPafmN9yNBqT364u06F0xM
Threatray	10'383 similar samples on MalwareBazaar
TLSH	T154467D6337B199B2F78720B204247A8C5BF17613BE16E2938BB737C06785DB77298152
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1a90749990cd53ca3fced5acfaeefb1a.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 16:07:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f96bab04-70ae-481f-be2d-b8a34a9cd469

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/366744/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65325059.694.14598.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive overlay packed

Link:

https://www.filescan.io/uploads/63ecfb3454f64beb90111b10/reports/926e8c3f-b309-495c-817b-ec6a9fed8da8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00d9a8d6-8cd9-45d2-ba19-08b6628a991b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1176060

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-15 07:57:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=si7oisonc2amw5h5ihdyk2eobf2mnejnudhdpz66zv43pl2ujv4q._file

Verdict:

malicious

RedLineStealer

32551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f

RedLineStealer

4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

RedLineStealer

501f2463bdfc1e0260205d87eab7bcfe23254cefb6f43923172bb852cc96b2dd

RedLineStealer

d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d

RedLineStealer

dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0

RedLineStealer

de58c36e0d6373fdba1d14fe4085968e4753ed8d490699b36c7f065a4d9a6ea8

RedLineStealer

ecf0c11ebf5e4d33208470fa906bd052aed3bbb5389b6b5a382b33b8a92cf70c

RedLineStealer

ee1613bb37062a8e65092ec3aad9efc1c21f65732745d5557d255c13d6b28d3f

RedLineStealer

+ 10'373 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:03.02.23 infostealer

Link:

https://tria.ge/reports/230215-sy682acc6s/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

Malware Config

C2 Extraction:

188.127.227.25:6714

Unpacked files

SH256 hash:

178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad

MD5 hash:

159af9cf7f94d64c8120c80268965306

SHA1 hash:

fb41ab37af2c83e96d97e9cd066f90e72d4887ea

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

SH256 hash:

7f505e2138b37c24aa0dfe94fe9fadee027d2dbff221ed6f96e723e802687256

MD5 hash:

07b414071c7992416c277dc71650b329

SHA1 hash:

b146efc147be06acde6b0596406e5b2fc2ec2c91

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

SH256 hash:

c32fa05ad7c59bac46a8f3a9c9b2b6a33723fdb965bfafaa54dc835a8e3f4a99

MD5 hash:

d9da3577de5c6865c8da6f71569f86a0

SHA1 hash:

80547403f67a567da1223f50288961ac98174583

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

SH256 hash:

7d94586b5929fedd75a4fffe2749713b16aaa3de2a9c5ca7483bf87fd76890a0

MD5 hash:

22bb1b01911217d1c5777e81f5132693

SHA1 hash:

492026e5e67726a7f1526df6b950ff5162824dff

Detections:

redline

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

Parent samples :

d1e855b6fdaf8bb11bdc2103a2021b7dd7b1bff08e5c2a10dd7d8a557b3fae70
923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79

SH256 hash:

fda224e75d3d47576ef051074e537490f1069d2eb66a87ee9ca2a60aea3a6752

MD5 hash:

32ed737eca90126ae0feb8dd17d029ac

SHA1 hash:

2abe1c0ad3d220d114f565c349006ce9ed7cdd77

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

SH256 hash:

923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79

MD5 hash:

1a90749990cd53ca3fced5acfaeefb1a

SHA1 hash:

ae7c12d6de1dc97973d0c23eec9f20ba6d04ec84

Link:

https://www.unpac.me/results/c3c0f722-1aef-42bf-be97-5a3a8109105b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 923ee449cd1680cb74fd41c785688e0974c6912da0ce37e7decd79b7af544d79

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2525251/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/366744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample