MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b
SHA3-384 hash:	e9c63d9022c5fc0d8d597051d7e98f77a3057451a6f800f14103b3b8180d74b7dda5c3a58f9233f1c18d5e2ef2824cd8
SHA1 hash:	163270d239a2020c062a5628536d84f78f95e981
MD5 hash:	d86816e976e8938f119f3ff64554846e
humanhash:	lake-march-chicken-oranges
File name:	D86816E976E8938F119F3FF64554846E.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	325'477 bytes
First seen:	2023-10-26 08:30:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42dc4b97f00c0e49be924a48eec20081 (2 x RedLineStealer, 1 x PovertyStealer)
ssdeep	3072:kbxlFS03aYxynslteuBD4XJLtZRe9Kx14m1ZDyluyGgWe:+3KnWteE4X51H1DFyGgWe
Threatray	16 similar samples on MalwareBazaar
TLSH	T11C648D15E9C3B431E7AA54B58058F6D06156BC6C0F4642B3E7CC02379B98FF6A235E8B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
49.12.116.192:443

Intelligence

File Origin

# of uploads :

# of downloads :

348

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/456503/

Detection(s):

Win.Packed.Zusy-10011842-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay

Link:

https://www.filescan.io/uploads/653a23c64ebf05ac3f3a2315/reports/573f75fb-2520-4a78-aa5a-67495266fec1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/379bc093-bb54-4543-be8b-65f9275891d6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1332529

Signature

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b/

Threat name:

Win32.Trojan.Deyma

Status:

Malicious

First seen:

2023-10-22 20:50:30 UTC

File Type:

PE (Exe)

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vir4rnsgqwj5ep46dbvx2n32me3kftlm63v6p2jhcantn7u36ivq._file

Verdict:

malicious

RedLineStealer

3eb310f8d5efd369668424db8a545463e51dda3583a7054bdcba894c20513be9

RedLineStealer

5a5a392f1ac3ed032255fb484266319c42da2468bd0e1fbf7ec74ef39d5e17af

RedLineStealer

8bbd1821868c2a806e0dcabbce2c22a5f48ea4e8ae1fe6d86f9760ebbf18b700

RedLineStealer

a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

RedLineStealer

b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

RedLineStealer

df4138a66646a5635fcb28efd5b0e7a8df86a67b77e9105516b83cca0233c34a

RedLineStealer

ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee

RedLineStealer

+ 6 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5637482599 brand:microsoft discovery infostealer phishing spyware stealer

Link:

https://tria.ge/reports/231026-kepkwaef74/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Detected potential entity reuse from brand microsoft.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

8303b8983ed5f1ad8a53d4629c02cebd9c067d1976712c03d80cc4e3846f42ce

MD5 hash:

ee36084695d41b2a997306c3ff332083

SHA1 hash:

2e828257dc559fffea51d7c51a07140ce80aa644

Detections:

redline

Link:

https://www.unpac.me/results/59da04b2-e1a4-40fa-8591-12a984c6eea4/

Parent samples :

1155b82749364016f6a7232f58f169029706bf61da9e19d97b015eca502e3396
aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b
3ff4f96ffdfc8fc6a6fc58a959d682bc9c1a8f631871217e924d84073c7fe876
10480736752fc02e4c2360e1a3066a494c17db9db6709b5d6621d5f2e9ea922d
3467893f47bdbaa0fb58975fdce620c2591a2064703f56fab29313afa3fe9cff
297e3d063b460078308a5c84bb86b13c9bb878a47d02446b0a1ecc25b690e3eb

SH256 hash:

aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b

MD5 hash:

d86816e976e8938f119f3ff64554846e

SHA1 hash:

163270d239a2020c062a5628536d84f78f95e981

Link:

https://www.unpac.me/results/59da04b2-e1a4-40fa-8591-12a984c6eea4/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa23c8b64685/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/456503/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample