MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
SHA3-384 hash:	6a3149f7fcd7c621076e841ad4b13c88720d22e3f811b9675208a01bf7b71ce19ced0cf4589b326c09c2ee283dd1d662
SHA1 hash:	44e121ce364df2d247ec2a8a82cc29e7f1f3f49f
MD5 hash:	20f647726d2257ede2da5bf827250e2d
humanhash:	alpha-uranus-romeo-snake
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	347'648 bytes
First seen:	2023-10-15 07:23:05 UTC
Last seen:	2023-10-15 11:47:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	89b4938a013d6b8954f68c2ef1293c62 (10 x RedLineStealer, 4 x Amadey, 4 x LummaStealer)
ssdeep	6144:cFJsICnU9Q8qlrRRSX8oTGD7mQoRIFsSa+JCZh51y+94Vj+rPoJ:c/sICnVLoUmRIFsS/0PoJ
Threatray	1'200 similar samples on MalwareBazaar
TLSH	T13B7419C9F98406E1CCB50A3A7708DC6A2B69E4788E93B5C759C74430BA3DB864C5CE7D
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

oski

ID:

File name:

https://silkylearning.com/wp-download/archive.7z

Verdict:

Malicious activity

Analysis date:

2023-10-15 07:22:06 UTC

Tags:

privateloader evasion opendir loader risepro stealer stealc oski amadey botnet trojan redline ransomware stop smoke sinkhole vidar arkei kelihos miner dcrat rat backdoor remote g0njxa

Link:

https://app.any.run/tasks/16bccff3-fb5b-49fb-ab6c-e0800d06cda9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454506/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.20541.16725.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/652b93a728455aedec118183/reports/3c9c97ff-366d-4bc7-ba0a-745849c37eae/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21188be5-08fa-4e1c-8ad3-2e228ddb4e37

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1325874

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-10-15 08:02:09 UTC

File Type:

PE (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ue6zqduu5nataeyyfpb24kw3kqi7sgg3cdbgwlslx56khosrmfva._file

Verdict:

malicious

RedLineStealer

3f61b1490dccdd36a2307b6376b6b682b988815bbd7ac5805315ff2f7f6aa649

RedLineStealer

5ccd3fc1613c48f85aad3fb1946ec858d17e42021e77a1cd681406b6b6b0b557

RedLineStealer

64263a4ed1a6432b06bc1729d818182081babbe97f02fd6f61f2d09e3e657dc0

RedLineStealer

7ee31d9861f8144887ba4516b71831a3991858a6815faa8fd2b643b0265e5c38

RedLineStealer

bbb535e87b6d2fde49c6b143af1a003b5670b422937c9dd0cf5424bd212dfc01

RedLineStealer

c6b19365669e5870d1bde6cdd78af63eb23052de33cac70d85e8c5456c784fd4

RedLineStealer

cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f

RedLineStealer

cfbd24a3ff45eb3d630bbe3fa9d8db4fc6c4e78da702a3e5f1aec08973b60c2a

RedLineStealer

e07207fa4b032992e771e99f27f6e05ff2a30a59b51c3e2b69ff0aea7d24490f

RedLineStealer

+ 1'190 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build285 infostealer spyware

Link:

https://tria.ge/reports/231015-h8kgxadd8z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.169.175.232:45451

Unpacked files

SH256 hash:

4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02

MD5 hash:

281cdc7e284b96011624acded1859799

SHA1 hash:

af8e34c4c7708547c8f2d35a13121c7a9d6fcd20

Detections:

redline

Link:

https://www.unpac.me/results/7589140b-e1a1-40a8-9fbd-d6b408eb360b/

Parent samples :

399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

SH256 hash:

a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a

MD5 hash:

20f647726d2257ede2da5bf827250e2d

SHA1 hash:

44e121ce364df2d247ec2a8a82cc29e7f1f3f49f

Link:

https://www.unpac.me/results/7589140b-e1a1-40a8-9fbd-d6b408eb360b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/454506/

URLhaus

https://urlhaus.abuse.ch/url/2706937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample