MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7
SHA3-384 hash: cd54f5f92d254e86fa360723caa191b7b6eb36791f60c057c1f2b51b32598a18a211cbc330963d602ef8bb02cc7be54a
SHA1 hash: 50f0fa60c55ca04d3f7b0e875ca5dc078650fb11
MD5 hash: 71f9ded48585b9bf3b813a3eadd5cd5d
humanhash: delta-colorado-coffee-two
File name:information.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'515'648 bytes
First seen:2023-10-01 13:20:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:Pa0FomejD+5ik0s2D3PaFX/3jNV7iVlCP6Ii:PnZSDYik0s2DiFX/TNV7QwP6I
Threatray 301 similar samples on MalwareBazaar
TLSH T10676330FA0ACCAAFCE514CFD7B63930C1177340D692AE3174CE9D5A46419BE893D6A63
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4dadac2dae482c2 (5 x RedLineStealer, 2 x Formbook, 1 x NanoCore)
Reporter JAMESWT_WT
Tags:77-91-97-131 bookinggoogledrive exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452490/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19463.31459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/651972400870810f018a597c/reports/7302275a-ab93-4784-9703-9b49f978249e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/801bf34d-0ccd-48c9-b560-c63036c68507
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317537
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7/
Threat name:
Win32.Trojan.MarsStealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-01 13:19:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnan3mn5tldgjlbylis6jfd2znmr5xjafswytflbak3ytyfgbd3q._file
Verdict:
malicious
Similar samples:
020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
RedLineStealer
193b4c7d1fc068516bd8769e7c233afe88e165d9c5a783f5de0d98611d5c84c4
RedLineStealer
1d59250f90f7146e8181c11f7a731e381d22a07675aafeec48c46b7b0ae937df
RedLineStealer
21c16c4ece7acb14119e33f2bdd5ee40197fc43d0e93d9841c9a6c281a739cb5
RedLineStealer
370b12fd3dd8a9e65e3b8257072b6a79bfc17844d685496ad491b80dfc8adf27
RedLineStealer
5459835af56f5d5fd3bf0a3abb1cedc126a63c57eef8c0bcbd797366177a8f0d
RedLineStealer
549215a7b9832f2cdb44be0692842ee2bf3042a84073e53d1081ca2663db37ba
RedLineStealer
7e93fa1eab66dd0436c705a8d5163e850d6e0a67374ca7aefb4c3cafd8145394
RedLineStealer
82ce3e2075a04b41fe2ba4551ae1e919e04986b64e470dccea4c5d6763722f0c
RedLineStealer
d6702ffbfccb1f8aaa0e40c39a2257f0da03fdbff4b9aeb528156e316d6b0701
RedLineStealer
+ 291 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/231001-qlnj2sce94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Unpacked files
SH256 hash:
282c5343de56b847e921e4dcaa48ee30ddbfa292e64359aac58882dd52ef2ff9
MD5 hash:
c2a6736eacaf2161ad4082a7768ef9e4
SHA1 hash:
ed9366b9332bfbeeeaed08daff5c0187172a5989
Link:
https://www.unpac.me/results/03741a48-934d-4de1-8e44-4c3104b0f0a8/
SH256 hash:
aa3326e7f079ea9910a5ed11641741e4de945852b3704c04d4968f3f591342a9
MD5 hash:
2b5ea9bea4c4c48aed6146449bb04790
SHA1 hash:
b7813c22696189f8864d1abb580da9991b3b0069
Link:
https://www.unpac.me/results/03741a48-934d-4de1-8e44-4c3104b0f0a8/
SH256 hash:
9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7
MD5 hash:
71f9ded48585b9bf3b813a3eadd5cd5d
SHA1 hash:
50f0fa60c55ca04d3f7b0e875ca5dc078650fb11
Link:
https://www.unpac.me/results/03741a48-934d-4de1-8e44-4c3104b0f0a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b40ddb1bd9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9b40ddb1bd9ac664ac385a25e4947acb591edd202cad89956102b789e0a608f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715462/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/452490/

Comments