MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1
SHA3-384 hash:	b6295bb24d005488c589a251cc8ddb351d580323b941e879fa350d3ef6a81892a3560c65c1fffbb07ee9eeb5e3119992
SHA1 hash:	bdc3f307ba963ed9470a01722035ac0dfcf906e7
MD5 hash:	268a9c9150fbe19f367acc7756a780f7
humanhash:	delaware-california-monkey-fanta
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'297'920 bytes
First seen:	2022-09-17 08:03:55 UTC
Last seen:	2022-09-17 08:17:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	da0a8429d07681e0f845d1d4f08ae833 (28 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep	24576:+o4O/BjYPYXIQSmhSgMWbbddQsxocsa4z0d:+BO/d7FicsaI0d
Threatray	76 similar samples on MalwareBazaar
TLSH	T115554D3AE70619B4D76352B1C58EFE7B9B54B63480329E2FFF46DA0CA8334127C85256
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc749961351_645284821?hash=MPss5O9ZgWGmkDoKdO2RmZ9c3LJQypIFUmciOgqFr2P&dl=G42DSOJWGEZTKMI:1663401652:Tl2IztAWRtJJreeDIlYQRiTAJnCoPZ8Uwz7dnJNPmb4&api=1&no_preview=1#setup

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-17 08:06:06 UTC

Tags:

redline

Link:

https://app.any.run/tasks/d1fcc29e-3b41-4053-9530-f964aee49f94

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310896/

Detection(s):

Win.Packed.Trojanx-9968105-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/63257f7866ac326512458180/reports/722750c8-ff58-4d70-9a80-8215a95a953b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ae427035-df77-4e39-a102-3fc27b8dfaff

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1072193

Signature

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-09-16 13:45:00 UTC

File Type:

PE (Exe)

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvd2e55v5ztteu7pb2u2v223d4ct2ha3u6kq3enilbmvs5bzb3yq._file

Verdict:

malicious

RedLineStealer

19c3401042baeac38e94c3105dbfc1249697741f242db3f51f52eebb45c92ad9

RedLineStealer

208242ee86460f756e007197f574ce7b9855805f9d4bd080b53e01caba3bec1c

RedLineStealer

21665567315ac5983cee460bae1e45fb69b71c1ea809fd56bcd9357c1adc632d

RedLineStealer

5367a9a3d01c9f3b3bcce04e72c84a050b4fb09a79b1a917eee1c48825f76308

RedLineStealer

8befc91b605e2dd3ee8917f6e4b2ab943ec7900d257b704955c2defc0328b4d8

RedLineStealer

aadcd7f826198c71e998d31ae4ddd4f219d61ed27338ab7aec0c055749f1bc24

RedLineStealer

cad30ad3dc657a39b8e8625ed7d40ae81f4ad7808021758ddbed1990227403e9

RedLineStealer

f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922

RedLineStealer

+ 66 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:rrmoney infostealer

Link:

https://tria.ge/reports/220917-jx9hbshdf6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine payload

Malware Config

C2 Extraction:

81.161.229.243:28479

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e26e8696-487a-4492-90a3-0930c0752a4d

Unpacked files

SH256 hash:

c0030710dd37b82446ca428a8e90d1e1251cb37d68e6bcff340d7afa8d3869b7

MD5 hash:

07c0598cb3ddd470b71cb83b5ae9c160

SHA1 hash:

771bbb6f51d96d8d40d60c044f0f43e05de6e307

Detections:

redline

Link:

https://www.unpac.me/results/16e831bc-2ba0-43f8-a36c-9c50493af3f8/

SH256 hash:

ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1

MD5 hash:

268a9c9150fbe19f367acc7756a780f7

SHA1 hash:

bdc3f307ba963ed9470a01722035ac0dfcf906e7

Link:

https://www.unpac.me/results/16e831bc-2ba0-43f8-a36c-9c50493af3f8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ad47a277b5ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad47a277b5ee673253ef0ea9aaeb5b1f053d1c1ba7950d91a858595974390ef1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/310896/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample