MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
SHA3-384 hash: 09e3293bd3406dcb84ee9a3ef56a455d4d9587dcb919536b5895c995ff4fb49ca8eaad782434a8252ce56a13193a2d7a
SHA1 hash: 856cff8f404d3cc19a44e9d82c4df0beb4d690b1
MD5 hash: 2f5823391f1220fbf4efc051d44fec9c
humanhash: autumn-lactose-princess-undress
File name:2f5823391f1220fbf4efc051d44fec9c.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'928'192 bytes
First seen:2023-10-06 07:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b092678fc438a3bc6ea71ba0ea4cfa08 (12 x RedLineStealer, 4 x MysticStealer, 2 x Stealc)
ssdeep 24576:VJxY5KgFimILMhVVdDqgH9Y2ku6a9DhvhM2dq50sk07aKdBKf:VdgFimILMhDZqcYru6a3vIT2f
Threatray 188 similar samples on MalwareBazaar
TLSH T1F995091126F95B59F5F30BB856BAA6118C7ABCA9CF10C6DF129050CE0F23AD49970B37
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:bin exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
73cf59fddb613a5381995e640546dada.exe
Verdict:
Malicious activity
Analysis date:
2023-10-05 17:46:41 UTC
Tags:
loader smoke opendir stealc stealer amadey botnet trojan redline
Link:
https://app.any.run/tasks/4d06265b-049d-4425-8301-8b05fbae0ced

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61882.5230.12259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin masquerade
Link:
https://www.filescan.io/uploads/651fbd1d1e07d7e1e9b44d39/reports/4290bb48-f154-413d-9e98-986909b63bf1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320770
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 13:22:29 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=snnfzh3ay3hgziu5lsktsmedbal2uexgnvto4h6vh5fk37enpdra._file
Verdict:
malicious
Similar samples:
108cf61a1fb5f4f20c05e79717ec74bafc4b715f32705fa5e243ecd1da7e33c0
RedLineStealer
2396b598bc772acaf763c343493262acf07ee418288c9f12590451d491c25e0d
RedLineStealer
3580ee6c69a90fc6abdb279a0dc049e3244b651633a370a88082fa6b6c036c93
RedLineStealer
3b9edd34b369ce1a86c5a19058907c9bd7c656330d39cbf14e6a6f3ac717f12d
RedLineStealer
4e13187cf3b12225f1d1f6b5522401d26b6a4cba66aa76c559d278d249bc29da
RedLineStealer
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
RedLineStealer
c866958adc13619f9e5778c37d9e14c13d76fb036342aacf7a384d945add6da0
RedLineStealer
ca7017068fc3c6715a095bf0545d359ecc06c426c6750acd6e24148d5e942791
RedLineStealer
eadfa96ccc8310d66e17163dca4825b97b5ca5d510faf53449a85caafdc66809
RedLineStealer
fd42fff03752fe763d0e90f0c164ad376edaf3c24b7bc872c70ecf236ebf9f10
RedLineStealer
+ 178 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:frant infostealer
Link:
https://tria.ge/reports/231006-jrjpqahg7z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
81cba4a3887b1b32dac54b2872641ce273ce728c8d0dbd8f89dd59504359a3e4
MD5 hash:
e394a67b4cc60338df57a6cee5848101
SHA1 hash:
16ec2a17b34bf0bcb8985b2eda308e9ba82fdd92
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6de15988-c597-4411-aeb8-07f57977dbf6/
Parent samples :
935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SH256 hash:
935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
MD5 hash:
2f5823391f1220fbf4efc051d44fec9c
SHA1 hash:
856cff8f404d3cc19a44e9d82c4df0beb4d690b1
Link:
https://www.unpac.me/results/6de15988-c597-4411-aeb8-07f57977dbf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments