MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
SHA3-384 hash: 583efabbb8cd0c3d6cfa31e07f16c3aa6635b0b5c6edb4718b96aae65be5c1c1d231735b964f6b8dc283252172cf1daf
SHA1 hash: 8244c3d5676399da93c837748fbe11938a48a568
MD5 hash: 43e1d9e742cb386b808462c427b2bcc4
humanhash: butter-kentucky-arkansas-ceiling
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:345'088 bytes
First seen:2023-10-15 11:58:38 UTC
Last seen:2023-10-16 06:35:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7c9eb7dc16fdf30c39a296c30ab2134 (2 x RedLineStealer, 1 x Amadey, 1 x LummaStealer)
ssdeep 6144:+d/gu3PkiaRnyYASHSFDOJe0NjIGG8TDUOHFMlhTI8r2Vod5ptYq69XLsJ3OjPGr:+Zgu3+HSFDOJe0NjIGG8TDUwFMlhTI8L
Threatray 1'222 similar samples on MalwareBazaar
TLSH T1B3741A097ED6AC16C51E44FBC434A19DFE2EB8ED3160AA9765760884EF2D349733C4CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
67
# of downloads :
327
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-15 12:01:31 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/b39b77ed-77a5-48a6-97e4-17c8711eb7a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454541/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.5346.15241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Delayed writing of the file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652bd406d9aa132701838af8/reports/30d73dd9-810f-402c-8209-d5f58808be02/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c59c8f7b-ba9b-47ef-800e-f37139864090
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325916
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 11:59:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 22 (86.36%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=srrasvospvbfujme6y3ivrvv5c32hnp4j7fvbagm4ttg5bnjmtga._file
Verdict:
malicious
Similar samples:
02fa85eb8eeda88516e12aa6ff29d988a2e2aa34c12a53a08ce518f92764454f
RedLineStealer
07a909ceb7de84d106e86e0a7102a15650c52ba903d087ec5432362a6fe68f3a
RedLineStealer
101a5e5f26d1eb12148be6c74b122ff31d3673c022bff87cde6c268b6c2a95e9
RedLineStealer
1280f3b0685a9b93304138a84f844b46e9299e692e39cde9c3aff4f66c0a1171
RedLineStealer
2271bf80772214c3c9b8d0a3dd7b5fc40bc08b69e649c444fc82a035505a2d81
RedLineStealer
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
RedLineStealer
7a5123e6567a7d3389544141839d60714b49e078037c683fdd3a8f8211bff9ce
RedLineStealer
88538ade562cb5b8fdf599a711369cc4fc117c0d36b71c86f27b42b7b914cdb0
RedLineStealer
e37dc31d94e2f4ec52641316c1e17dad42a321ecce88e6371488cde1bc3218b4
RedLineStealer
f8f15a43caa4a592b4aff56180f0f2569b58197b7a38b132500da2bc65dc08bd
RedLineStealer
+ 1'212 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build285 infostealer spyware
Link:
https://tria.ge/reports/231015-n5p6wahb75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02
MD5 hash:
281cdc7e284b96011624acded1859799
SHA1 hash:
af8e34c4c7708547c8f2d35a13121c7a9d6fcd20
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8add68c1-15b8-4b72-85f6-ae3b47c0610d/
Parent samples :
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SH256 hash:
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
MD5 hash:
43e1d9e742cb386b808462c427b2bcc4
SHA1 hash:
8244c3d5676399da93c837748fbe11938a48a568
Link:
https://www.unpac.me/results/8add68c1-15b8-4b72-85f6-ae3b47c0610d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/454541/
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/

Comments