MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
SHA3-384 hash: c18ada4917e01f5107e78948dc863cf421b81164942216679e45df004cbadecbd159f0bb76bb67aa2bd3bb92d884241b
SHA1 hash: e9f7a40033d6ed7903d50c97ea4953695eabe255
MD5 hash: fb08baadcb6824e5b48a7d1a66151484
humanhash: may-romeo-vegan-foxtrot
File name:fb08baadcb6824e5b48a7d1a66151484.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:293'080 bytes
First seen:2023-12-04 08:10:13 UTC
Last seen:2023-12-04 09:39:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b6f30f5e7d47b4dde1cbc2055bdcbcdd (6 x RedLineStealer)
ssdeep 3072:uUKx6WcVXQBbKu3f5AZvXm7JYkI1KfT+CI8wxLz8Om+9ldzZC+tSjCIsjiNl0f+b:ujdf5AZvRk2x/87mC+tSjDeZcGM2K1
Threatray 1'686 similar samples on MalwareBazaar
TLSH T1F15408A2D1A4EB13CD4BD0B5373B9C39190DA126FE7CCF176E0B1AE361B29062255E47
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.132.4:26066

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
New Text Document.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-12-04 13:30:34 UTC
Tags:
opendir loader amadey botnet stealer agenttesla redline evasion risepro stealc gcleaner arechclient2 backdoor rat remcos remote nanocore trojan lokibot systembc proxy metasploit grmsk dcrat
Link:
https://app.any.run/tasks/324ec81b-332a-4be4-94f8-f5ce23909df3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462252/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19690.13756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/656d89967485e5b1ecc5bd58/reports/b48fd1de-5d3a-49c1-9e15-7bf1d026a274/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5bbaf489-5f94-4ef0-a0f2-27ba30b619ca
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352951
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 08:11:04 UTC
File Type:
PE (Exe)
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ueaao57j3ipxu6lf7pbylkpqitd5revjjfhimt7fvhh5kaw5vfxa._file
Verdict:
malicious
Similar samples:
3cb612fb1e493424a52d66e74ad2d295eda8b6f3dba311518974d42bbc2d12d8
RedLineStealer
6ee3240e69f9f078386e729d2f2bc6613a062ca07b157e23e4ebc696f4cf7d2d
RedLineStealer
850263d1dac582f1d8c9cb585e73b54124ed5c9c58564a89508072b93d73865b
RedLineStealer
862ff11452de99418139941018e044e7802fad311d21ddd396a5476adbe56352
RedLineStealer
8a7cc5239d412feb2e6977e47b1f3ca475fb70172ac200b81ed7700a4097564f
RedLineStealer
a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
RedLineStealer
+ 1'676 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:work discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231204-j29nwshg8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.132.4:26066
Unpacked files
SH256 hash:
ff4e2538d00990bde9bff90f3aaebb6f45efc63b426898850755c86bc2ea5ee1
MD5 hash:
d239d6f9273c4cb6ed7ad412d452b192
SHA1 hash:
90ced5097fc5d7cc1b9931b798d7d77a878c1d21
Detections:
redline
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/0b5922c2-e769-495f-bc13-9f22f7b95701/
Parent samples :
035f228a83a0116c4ec59158d58628c3c7ddd8838d0ad3ff6d1566a90f6a609d
6ffe0dd653b65119676d6b1398831d1a4866dbdb14396692d2e3d422b22f1b37
a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
940c700e6d9796aff9e533e8a52148bd6acc36847a1a79950684cdea25e7208e
SH256 hash:
a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e
MD5 hash:
fb08baadcb6824e5b48a7d1a66151484
SHA1 hash:
e9f7a40033d6ed7903d50c97ea4953695eabe255
Link:
https://www.unpac.me/results/0b5922c2-e769-495f-bc13-9f22f7b95701/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a1000777e9da1f7a7965fbc385a9f044c7d892a9494e864fe5a9cfd502dda96e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2736837/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/462252/

Comments