MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
SHA3-384 hash: 7ed3ff2591a322a460d5eb5cc34b20cf45efc12087c778a465509c779e0fbbbe232d15911d41aecad41e007d2cb1e55d
SHA1 hash: 7e81a513aadcb61b6b8cd2beca7675c46d91a790
MD5 hash: f5cfae9949e8973779c5539603f98512
humanhash: dakota-mobile-diet-rugby
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:455'168 bytes
First seen:2023-10-18 08:23:06 UTC
Last seen:2023-10-18 09:04:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e6c8a6ac2c39bf589d2a9a54b0ca583e (13 x LummaStealer, 6 x Amadey, 6 x RedLineStealer)
ssdeep 12288:F2YwCby3hOkzj3h9t/bhblnkOudK8XpUrbKQD:F2YLAhzDt/9uOudK8XpUrbKQD
Threatray 1'595 similar samples on MalwareBazaar
TLSH T198A46C0679534920F559A032C995B635097AD7294E93FCBFA7B06FBE8DB05C2B12C8F0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
333
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455618/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.27169.11158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652f962310dbe5fb92cd7423/reports/3ccff5dd-be60-4b0e-9c3d-4dc396b8730c/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d496b73b-2e2b-4e93-ba0a-f5cdcb7518a5
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1327876
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1327876 Sample: file.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 56 16 Multi AV Scanner detection for submitted file 2->16 18 .NET source code contains very large array initializations 2->18 20 Machine Learning detection for sample 2->20 6 file.exe 2->6         started        process3 process4 8 AppLaunch.exe 6->8         started        10 AppLaunch.exe 6->10         started        12 AppLaunch.exe 6->12         started        14 33 other processes 6->14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 08:24:05 UTC
File Type:
PE (Exe)
AV detection:
21 of 22 (95.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkeue6ugwntgplrzxs6s55plfglwtttjav5yrhagfehdlu42i6tq._file
Verdict:
malicious
Similar samples:
0d2075b728700bacfa79dc4138df8e89a8d3a67221f612d2997968598b6285b3
RedLineStealer
2e2208d8929729766d184b02f6030a0b77fb560c1bfbb69e2c56479623083675
RedLineStealer
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
RedLineStealer
75ec6c815f4ca762223a0ad901defff84ae8338f4ad9970a7a606bdb1514fd99
RedLineStealer
9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff
RedLineStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RedLineStealer
da920bb04ee50d8842f01eda3e8eafde082331df010631fc8d0a2c20af911e98
RedLineStealer
eadfa96ccc8310d66e17163dca4825b97b5ca5d510faf53449a85caafdc66809
RedLineStealer
f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3
RedLineStealer
fd42fff03752fe763d0e90f0c164ad376edaf3c24b7bc872c70ecf236ebf9f10
RedLineStealer
+ 1'585 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build285 infostealer spyware
Link:
https://tria.ge/reports/231018-kap1vacf5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02
MD5 hash:
281cdc7e284b96011624acded1859799
SHA1 hash:
af8e34c4c7708547c8f2d35a13121c7a9d6fcd20
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c5dd7b20-72fd-49f5-9f9c-d8cb1af54c9f/
Parent samples :
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SH256 hash:
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
MD5 hash:
f5cfae9949e8973779c5539603f98512
SHA1 hash:
7e81a513aadcb61b6b8cd2beca7675c46d91a790
Link:
https://www.unpac.me/results/c5dd7b20-72fd-49f5-9f9c-d8cb1af54c9f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa89427a86b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/
Cape
Cape
https://www.capesandbox.com/analysis/455618/

Comments