MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4
SHA3-384 hash:	3a0048cc3f82665edbae789e4a1cecc87f7b21bd2a9596fa4706b70af2810fa2c3256254f15dee13727967d3b9ae1164
SHA1 hash:	9fc181caa6f731fc1398f81c82d9526841a9990f
MD5 hash:	661482f71ba138705364211a89ee0fde
humanhash:	lemon-east-delaware-charlie
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'138'080 bytes
First seen:	2023-10-19 14:05:57 UTC
Last seen:	2023-10-19 16:06:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cd707db284568ca384c71c5e8ff8d2dd (2 x RedLineStealer)
ssdeep	24576:1h391B1gh9Y+DOnzG2f0hmS5gM3anVkdddkMPRskm:5S9Y+DOzGrDyaPur
Threatray	44 similar samples on MalwareBazaar
TLSH	T1B2358C203980C7F9EFD61077CEECB9A4815DB0B8172585EB52E792EED2149C1FE315A2
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://171.22.28.213/3.exe

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-10-19 14:08:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/beae521d-933d-4e40-9caa-7c4a4d7f5274

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Pwsx-10008461-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/653137cbba877ae5591173ed/reports/59dd1566-815b-4573-b87a-7c23f1c46e82/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aa398585-be6c-4a5d-8b08-00dcee9780c4

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1328743

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-19 14:06:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tfo6uxegitfa37gakwn3nmhpemv4ng2aqeztjamkp3nzs22antka._file

Verdict:

malicious

RedLineStealer

6ca29012d6cb607eb6d565283eab3f55a1855417a2481c86f3f2641baeb45223

RedLineStealer

6e183fbb7006572b28fe4283d9cc9f240913cc376912885e6927d7ce3687eb15

RedLineStealer

a85b8341d1594f4ec7d0aaf1cb367c0fe92ecd1914666107d1ed720d2bb7a1a2

RedLineStealer

cb70ad60ec16341e48b3e80868ea7fdcd3f630723dfa6335d7b79ed01dcd7634

RedLineStealer

d66922b28048229f0d1700f944e7b94e282f99d838524e6a8f85f6bdee8c3424

RedLineStealer

+ 34 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/231019-redlyahg96/

Unpacked files

SH256 hash:

995dea5c8644ca0dfcc0559bb6b0ef232bc69b40813334818a7edb996b406cd4

MD5 hash:

661482f71ba138705364211a89ee0fde

SHA1 hash:

9fc181caa6f731fc1398f81c82d9526841a9990f

Link:

https://www.unpac.me/results/8c8c08f8-161e-4ef3-b2cd-3a36d66cfcd3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2716401/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample