MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d
SHA3-384 hash: ef35ca88a728084d4f8ec7cde52ca5916989c884df0769b1e234cffcde88655de19529d1de5518755b4ad0ddc1b3bcea
SHA1 hash: 35a78f621eb591e9b564184dff2516467a6cdb97
MD5 hash: 16439194756b561bb344a6d5cb08a2c9
humanhash: north-yankee-wisconsin-oranges
File name:16439194756b561bb344a6d5cb08a2c9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'063'424 bytes
First seen:2023-03-14 18:31:48 UTC
Last seen:2023-03-14 20:29:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 6144:IahODlE7xQJ86nqP/s+de9pnVuHhZRb4tkC1VFO/DWLC352DFDJXTvkcLIh:Iiew+lLYePVqR0sqLC35gDQh
Threatray 7 similar samples on MalwareBazaar
TLSH T180357A85B348C017E8135A350E53C79E6B19FE82AA21729B33A4F75F973D9C36825B06
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cc973333e96b96cc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://tinyurl.com/fullsoft-up
Verdict:
Malicious activity
Analysis date:
2023-03-10 06:09:21 UTC
Tags:
loader
Link:
https://app.any.run/tasks/a140f3c8-696a-4248-8319-423b89baf1d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374345/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65831522.26368.3929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB installer large-file redline rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6410bda406c49bd8b6b5c308/reports/d416935e-6454-4b54-ad00-15a17d68079a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1453f547-6f42-4974-bff9-b4bfd17bf4ae
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193590
Signature
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 826495 Sample: mr0bho5v3G.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 27 i.ibb.co 2->27 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 8 mr0bho5v3G.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\...\wiferedov.exe, PE32 8->21 dropped 13 wiferedov.exe 15 3 8->13         started        process6 dnsIp7 29 i.ibb.co 162.19.58.160, 443, 49701 CENTURYLINK-US-LEGACY-QWESTUS United States 13->29 47 Multi AV Scanner detection for dropped file 13->47 49 Writes to foreign memory regions 13->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->51 53 Injects a PE file into a foreign processes 13->53 17 InstallUtil.exe 14 5 13->17         started        signatures8 process9 dnsIp10 23 45.15.156.155, 49702, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 17->23 25 api.ip.sb 17->25 31 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->31 33 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->33 35 Tries to harvest and steal browser information (history, passwords, etc) 17->35 37 Tries to steal Crypto Currency Wallets 17->37 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d/
Threat name:
Win64.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 01:26:23 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjqscqjkum432yuyny74wqv2mryuvquit47eo33mfnotwzzmiggq._file
Verdict:
malicious
Similar samples:
70a6dfe9850d95ba4af4315f327cbc7811a43ecaa5a2807904129243ab6e8bf2
RedLineStealer
7582fcf573ff933d5e7a8f4677b05c84cc645c10ffabcd1b223cec2530c61028
RedLineStealer
7c6768c3df66679759c311920c23a9474527e8c00cc64e708ef7d3cd3288f3ee
RedLineStealer
8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9
RedLineStealer
9bb44477f819d5e21fccd7431311639444e8cf7793c05bf2bc1d6b2e235b6108
RedLineStealer
b42efeb49eaf39524073c5e8a8230ce592bfa6e8333bbecc4a599a0bf3740975
RedLineStealer
e302530e680780414528ef634f5e9c258ddcedbca098eb079be321650441b1f8
RedLineStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230314-w6ltvahb39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d
MD5 hash:
16439194756b561bb344a6d5cb08a2c9
SHA1 hash:
35a78f621eb591e9b564184dff2516467a6cdb97
Link:
https://www.unpac.me/results/1b577849-d1f0-449a-b0d7-f69fa8623d3e/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/926121412aa3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2570346/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374345/

Comments