MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570
SHA3-384 hash:	ca37d4a3dadfe4b96b0fa5b8806272d44a3db8815120af12b2fdfdab603226f3fc22c768ae76c4c9748bc154ca8c2d08
SHA1 hash:	4cde261ffa7eb0f9cab124f98dfc90fcf93185cf
MD5 hash:	76025f3b7df4df5933c0f0ea9cb7cadf
humanhash:	vermont-nebraska-butter-sink
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	434'176 bytes
First seen:	2023-10-18 10:59:39 UTC
Last seen:	2023-10-20 10:10:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4f0cdfd3e1be2bc790b5aa9061b7d52c (7 x RedLineStealer, 5 x Smoke Loader, 4 x LummaStealer)
ssdeep	6144:qXPmJQTPOhvYjV7KvUxo8GbxAOZRNsscrdideGEsKR24RDpoe09dljy:qfhTOJYNmtZWdid+24roe097jy
Threatray	1'566 similar samples on MalwareBazaar
TLSH	T1EA945C00B9B54872D3EA793A47D32DE4A7A9B4108ED36E9F13652D8D8FB91F2DB50340
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc52355237_667106954?hash=u1nxcEZaxcLM5gBJiodoTcIasNoT55fLzvwrRyhTuIk&dl=eHGUUzvGf3mld3Z4uL26ddKyh2AQiccctdzWDv3HEzk&api=1&no_preview=1#1

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455668/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.12406.23380.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

No Threat

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/652fbab4cd0633254b8425fe/reports/28783634-6b2b-4eb2-96a6-712f5806738e/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c7a071b6-e28b-4f64-a1bb-eb02a7c3a8d3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327940

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-10-18 11:00:07 UTC

File Type:

PE (Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v4hdl3tpsxolbqx7szlljwbbe6tsoep774aupsvo6bdipwpecvya._file

Verdict:

malicious

RedLineStealer

0ea266f277bac4ca8fa7c5e4dd4e2abca813c203fd9b4fb31a950ceed5ac5e51

RedLineStealer

2eb2c60176fb29d19da9c54c065e863e5adc4e83a02bd69a1c641dc617cd3cc8

RedLineStealer

3b75fef36f2d68ceed33969816c1c90b4094db8c1a2bc98d848857f904da21e2

RedLineStealer

3beba0fcd974f5165e5f7a9bd489dd5e5df8a79279d988b2831628b562369bac

RedLineStealer

619c3b699ba4c6ba0e08d4813270b6b3799620ea49720e09ad1ac30a7668d32c

RedLineStealer

729daa3232aa59c480e56c199bc33e059e22d33e96ad036f14c1ea036ee4b799

RedLineStealer

a32fea79322c50eba46e95d2d2476fc7f96cc56584945779fef44d61e93f8d5c

RedLineStealer

d1ef9cd10ac3659aa976acefef29b35ed97840f4eb0ce5d3c48292013322ac0d

RedLineStealer

ea324a2f2037b226e5f1b59cdc2a75751d0ec1304c87ba0c867651ed4277cf60

RedLineStealer

+ 1'556 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware

Link:

https://tria.ge/reports/231018-m31ddsdf4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

171.22.28.236:38306

Unpacked files

SH256 hash:

18771aab0d37ea21e0176445b17b75d145d9fc688a185e50293242c829566a73

MD5 hash:

ed7e9a6e6ce54ff2fc91b83cb84f422f

SHA1 hash:

5cbab5f2f27eea11b4efcd984547bb6389f23069

Detections:

redline

Link:

https://www.unpac.me/results/7171f94a-f083-477b-95d7-631b11ec387e/

Parent samples :

af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570
1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494
34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953
efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1
f57d924e1c1b97aba0abe02943b16850bdd22d5eb6c5f9df5acfc420994402fe

SH256 hash:

af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570

MD5 hash:

76025f3b7df4df5933c0f0ea9cb7cadf

SHA1 hash:

4cde261ffa7eb0f9cab124f98dfc90fcf93185cf

Link:

https://www.unpac.me/results/7171f94a-f083-477b-95d7-631b11ec387e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/af0e35ee6f95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/455668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample