MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4
SHA3-384 hash:	ca9c8d40340129d3055ec1cddf989f806de96102ed1443d4e6ad4405a50252a1a944562dfa1fc703e1ad2964f7d86dd8
SHA1 hash:	6c491a3e80bf2f65531791d2ebc12ec29672f61f
MD5 hash:	2cedad17b383df15071a46bcb9ea2208
humanhash:	indigo-south-violet-pip
File name:	2cedad17b383df15071a46bcb9ea2208.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'629'460 bytes
First seen:	2024-02-20 19:10:37 UTC
Last seen:	2024-07-25 02:05:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f494e9bb2753c3b395b9806eb5f3c320 (4 x RedLineStealer, 3 x LummaStealer)
ssdeep	98304:sp+QBdpsU3FuIPELrDb/50L+t1GXr7xnmYeb03S9L3:SJdj3oIcLbCqtudzbCx3
Threatray	77 similar samples on MalwareBazaar
TLSH	T1C2F53301BDE04B24EFE07E7406658C5A15C6EE346B00A5D3EFA10E5EAEB5180DD2F6BD
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.75.210.22:443

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/477125/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed redline

Link:

https://www.filescan.io/uploads/65d4f94cc0d10a13926c1948/reports/0a053160-d75e-47dc-b3ab-cbab582383f1/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f20cb27-803c-4106-b071-056c43b7ff4f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1395602

Signature

Connects to a pastebin service (likely for C&C)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2024-02-16 19:11:00 UTC

File Type:

PE (Exe)

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uau6k5vf2uqc5xhdsmem3d4qxfmu7wbsxy2unxvn3lzb5jiwkpka._file

Verdict:

malicious

RedLineStealer

59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655

RedLineStealer

6aaf7768525102f1d8f6418756663c78898e0b701222a196636dfe3d9fb23c62

RedLineStealer

a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4

RedLineStealer

cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d

RedLineStealer

+ 67 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5637482599 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/240220-xvxbwade9w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

2f2c885ab8e7dc61687039323ef017968c746b0ef48f92ff2f3600aac3c18e88

MD5 hash:

11277e7584787725a9cbc184c967006b

SHA1 hash:

2ad677e9ce23eb334588fb7c5ad5fe15893de3a1

Detections:

redline

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/2c742335-920b-4051-b278-6daf3fdf3f31/

Parent samples :

a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4
dae690c700dd9bfe65154f5ae64a1c439d8792d26fc858b41d2590e166588859
b402bc88622f32efecb63d8ff1676cd4621d0d4752b3749a37d0e855480ef4d1
54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b
71717c434a87554cdeaf52f6c6f3049968ddb2f74f8d0386938977b86e827fc2

SH256 hash:

a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4

MD5 hash:

2cedad17b383df15071a46bcb9ea2208

SHA1 hash:

6c491a3e80bf2f65531791d2ebc12ec29672f61f

Link:

https://www.unpac.me/results/2c742335-920b-4051-b278-6daf3fdf3f31/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a029e576a5d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a029e576a5d5202edce39308cd8f90b9594fd832be3546deaddaf21ea51653d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_b1f6f662 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/477125/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample