MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c
SHA3-384 hash: 666dd3ac6fdd67ff0c347c0d1cc31227f0b6235ce32335a246aa055a25086d3d946ef0e54cb31b14a053c7b04e377479
SHA1 hash: 7cc5f989a483ec381d0293978796e28a4e8b4a90
MD5 hash: 9a0770b61e54640630a3c8542c5bc7ac
humanhash: fillet-fix-missouri-sodium
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'061'898 bytes
First seen:2024-09-03 22:01:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ce92706925e359aa40f23197a9743843 (2 x RedLineStealer, 1 x Mimikatz)
ssdeep 98304:wy5/EENF6+Gdav+NqOb1pdHwbsMnKMpgMFboMhW2qIYPyDFG4Z5yJSO3oa:hVzNGdbpBwoMnKMpgWoMhW2jg4LyJv3X
TLSH T186363316702424BAE076C5FBCE5295BAFB723D861F11E3971622B3A34F72BC5E815306
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon f8b2d4f0f0d4b2e8 (1 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/yuop/66d7540419a3a_installer.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2024-09-03 22:04:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/00a3601e-3718-4bce-b0ea-013bb1fc1d62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.Unwanted.5511.25914.4952.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d787618e12b8124ac9234e
Tags:
Encryption Execution Generic Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Сreating synchronization primitives
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66d7876003a81f10e906f94e/reports/5d3e70b7-078f-434a-8d2e-cc0268c4b87d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/791393f1-9092-4a7c-9412-d6186bbd782b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1503781
Signature
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1503781 Sample: file.exe Startdate: 04/09/2024 Architecture: WINDOWS Score: 52 21 Malicious sample detected (through community Yara rule) 2->21 7 file.exe 5 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\setup_app.dll, PE32+ 7->19 dropped 10 file.exe 1 7->10         started        12 cmd.exe 1 7->12         started        process5 process6 14 rundll32.exe 1 10->14         started        17 conhost.exe 12->17         started        signatures7 23 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->23
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=suthkndqcwhvyfelu3as6ln5b534x2bqvtswprclkom5byc3fmga._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240903-1xr2qazara/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/222788a6-8b11-45d2-95b3-50061c50264b
Unpacked files
SH256 hash:
2a07e9d82531a6e8707d010d217157303a827d8ecce36f58372401b87849728e
MD5 hash:
6564864bc27d4f1fd140648fbea35a0f
SHA1 hash:
0fbce743661919c46427c59237a2c823155eac31
Link:
https://www.unpac.me/results/544f8854-9366-4dba-934b-b63f119eeb02/
SH256 hash:
95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725
MD5 hash:
95b2c0f892fe4c15ac1d4929bcb54df1
SHA1 hash:
b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd
Link:
https://www.unpac.me/results/544f8854-9366-4dba-934b-b63f119eeb02/
SH256 hash:
9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c
MD5 hash:
9a0770b61e54640630a3c8542c5bc7ac
SHA1 hash:
7cc5f989a483ec381d0293978796e28a4e8b4a90
Link:
https://www.unpac.me/results/544f8854-9366-4dba-934b-b63f119eeb02/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/952675347015/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3155099/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments