MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4
SHA3-384 hash:	6c327b9246a4bc15228eb7a36c26481076cd0a11d508fc106eb893f1aa757f2064ff900308679d8341f6e032dfafef92
SHA1 hash:	f18936fd18c1b0e0f854685a3bcda15edee9cc22
MD5 hash:	0f70abb521b296bc4697895877ebb511
humanhash:	three-bluebird-idaho-november
File name:	0f70abb521b296bc4697895877ebb511.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	512'000 bytes
First seen:	2023-12-24 08:22:03 UTC
Last seen:	2023-12-24 10:14:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:aGrHy0oeudJignJ1p+OHrRjsHejEF+QFpk3ht4ssxqB+lk/Q5MsVpgeH82i8:aGrHrOJTnJ1p+OHrRgCEXCQqokWMsVW
TLSH	T1E2B4BF6867A78D37E388433AD0C98165A7F4891FE647F64C744522D48D0739BEE027EB
TrID	66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

phorpiex

ID:

File name:

4363463463464363463463463.exe

Verdict:

Malicious activity

Analysis date:

2023-12-22 08:42:24 UTC

Tags:

loader hausbomber opendir phorpiex trojan rhadamanthys stealer azorult evasion parallax remote purplefox backdoor systembc proxy botnet formbook spyware redline arechclient2 pureloader purecrypter stealc dupzom servstart autoit rat dcrat ramnit lumma amadey metasploit gh0st

Link:

https://app.any.run/tasks/04f9baa5-1f1d-4116-8c28-30d05775f663

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469196/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.35190.21406.5046.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Forced shutdown of a system process

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed stealer

Link:

https://www.filescan.io/uploads/6587ea366b1c246046049f1a/reports/67d2911e-5589-4acf-b836-c3c7b7351de4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e507525-8db5-4940-af6f-d95205f2a099

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366654

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-12-22 12:41:48 UTC

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sx6xendgkflzccf4tzuryzyyhezohbcbcxped73pdsqx6qapzg2a._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:redline family:zgrat botnet:work28.7 discovery infostealer rat spyware stealer

Link:

https://tria.ge/reports/231224-j9la9sdgf8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Detect ZGRat V1

RedLine

RedLine payload

ZGRat

Malware Config

C2 Extraction:

194.33.191.102:21751

Unpacked files

SH256 hash:

2b9e2ea3bd8cf10f77db40ffc0a7c5425d891430f5a9feb199e6abf1e89a0735

MD5 hash:

d4f6d30d33f57d351dc127cfea83f1b8

SHA1 hash:

ac49e829c04828eea1675ae42d315891fcfd5e23

Detections:

redline

Link:

https://www.unpac.me/results/d79fcddf-8e71-4b73-a2d6-c030a0f7e5eb/

Parent samples :

573829010e86ad1c19fb478ccdb0a422759afe038664cc7de2e41ae6f5d4d196
95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4
b224f01d877a0bbfbadeb54f49e7e1efb2762d27fa2c4e15f2567a59a37f15bd
952ed9e258ca3af11547c77a5949b36c3497f75177c1d9a819516ef6c923fa9e
b7a46b6c3fd98866134d8a5831a82b7444c0c2d5fe6692adfab92051e3541c7f
960c58c5c9c3b495ca27e3e98f19c28a79ce1b6d1c998f1186bca090a7618df7

SH256 hash:

95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4

MD5 hash:

0f70abb521b296bc4697895877ebb511

SHA1 hash:

f18936fd18c1b0e0f854685a3bcda15edee9cc22

Link:

https://www.unpac.me/results/d79fcddf-8e71-4b73-a2d6-c030a0f7e5eb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/95fd72346651/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 95fd72346651579108bc9e691c67183932e3844115de41ff6f1ca17f400fc9b4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2739787/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/469196/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample