MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae
SHA3-384 hash:	762b1822777a27a072cd5a2a0b9806c721d67f824c4a62a41a197bd453e8158143e923c516e65c427d50a785d94ad063
SHA1 hash:	7a69de994120ec59adf5184a0ebeff206139a449
MD5 hash:	dd4cb5245e8040d454e2a41e41b50baa
humanhash:	tango-twelve-oranges-mountain
File name:	dd4cb5245e8040d454e2a41e41b50baa.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	422'912 bytes
First seen:	2023-02-08 18:46:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f24c70adc5293af8000f2c39db7b30c1 (14 x Smoke Loader, 7 x RedLineStealer, 1 x TeamBot)
ssdeep	3072:Ew9qBGdvwXR5bMCv5tPYqxQHWxZtDjGVBD322unATSCYj2D0J/Ou2eOV32WByUAU:Ewq4UR7YHH+gGVnS3v0wu25GWUjsTIu
TLSH	T1D4946C53A3D17C48DB26CB33DE1EC6E8F61DB990EE4A776D3218AA5F18B0172C563211
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0353232207120604 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

dd4cb5245e8040d454e2a41e41b50baa.exe

Verdict:

Malicious activity

Analysis date:

2023-02-08 19:39:09 UTC

Tags:

redline

Link:

https://app.any.run/tasks/933f1c7c-11ef-4638-9e44-2429fcc071c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/362206/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63e3ee2dd641da4e64d7278c/reports/65775496-c460-4a2c-8cd8-65cd09c16376/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2a23616-cf89-4f0e-a535-c5e938f3de9e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1169681

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-02-08 14:07:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbru3bpmoucf77blhdrc4rzeulg4zbayxnqexk3dl6dg27endsxa._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:roma infostealer

Link:

https://tria.ge/reports/230208-xe7snsee24/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.20.7:4131

Unpacked files

SH256 hash:

13c9dfd749c400cb475d5f7e2251dccf192d0416f27cd23ea247a6bbd8447058

MD5 hash:

ca3d81b27410bb909e51d30e0ac93e45

SHA1 hash:

6ffa0e1d5e3479190fb2e42a6cbae404f8c427fd

Detections:

redline

Link:

https://www.unpac.me/results/f06b3b84-65ea-46d4-8525-b2703bd5b92f/

Parent samples :

0e5a2fe272129c522049bdd7a506d754826d8342ea7cfe1c1a3c23c81a2d17e4
5f7e979a53d8b78267258ee24d9ce34952da71f19f83e2086fda274464bebb74
c7f6ca85876a416debb5494c6cb9a5efcb865c7b0cd04030ce31a22ce78c42a0
96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971
b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

SH256 hash:

86f61aee28ccdae81bb29e7de7dbf4652e4e52ac1463acb682e74c9e8f4acd91

MD5 hash:

07e51dc10fe3afdc6f124a06d825e8d4

SHA1 hash:

2b8b552b1fea7328a09b9cbb0cec73734d9f72a3

Link:

https://www.unpac.me/results/f06b3b84-65ea-46d4-8525-b2703bd5b92f/

SH256 hash:

edf0e97bcbb37645bca74158112515a62ebbfe82e212f21eff73b90c8f8c978c

MD5 hash:

a66511a96e5adcdedc0ce7f091b2e989

SHA1 hash:

237af06444ccea53c1737ef6c8de8d188ad1a8b7

Detections:

redline

Link:

https://www.unpac.me/results/f06b3b84-65ea-46d4-8525-b2703bd5b92f/

Parent samples :

48aff3ca7986edc6be811d56c88492f23dc3eeb8eeb10502a78500dc797e1bcc
d59d55ca65f1982ccae31dfd0b9d4910a33adcb209144ec41c7f928c14221eb2
d5abe1bf7cc6986a8a6784afcf8013cd75c3963765ee576c19799b0d4916f826
0e5a2fe272129c522049bdd7a506d754826d8342ea7cfe1c1a3c23c81a2d17e4
5f7e979a53d8b78267258ee24d9ce34952da71f19f83e2086fda274464bebb74
01a09f4a93941e4d0d1afabb4f49f7aa1b9f91cc202cc1d7eba5ca52ebecd317
77f19ea2e98aa20589c1196037c0ec3bcb2936b4c1e53fd89c1a22697c8d31c6
c9df15c0e5c17d79b64b4075b6b5f8d44f66f50744c138e6c95bd55097218c11
670ebc347dd7d79c1736cec1f2e8e517dfab7227f14dabbecbd7eda139642175
7b4ae35ac3c70bcf6f9a7367e92b448a8e4f76368c9eb4ffebc53891d77c20a4
c7f6ca85876a416debb5494c6cb9a5efcb865c7b0cd04030ce31a22ce78c42a0
96591c0ce9dcbd29016ba5516e5dc36ae19646a492667bf46c05629b4214b971
621606f23b6d2a7e300cc4785f35fe8235b60604fb2c988470bf8971b57360e2
b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

SH256 hash:

b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

MD5 hash:

dd4cb5245e8040d454e2a41e41b50baa

SHA1 hash:

7a69de994120ec59adf5184a0ebeff206139a449

Link:

https://www.unpac.me/results/f06b3b84-65ea-46d4-8525-b2703bd5b92f/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0634d85ec75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0634d85ec75045ffc2b38e22e4724a2cdcc8418bb604bab635f866d7c8d1cae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.