MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856
SHA3-384 hash:	700a19dec8f1ed2901e5f1ae680b4a8d23784672eee80fab1fa43d403524a12db1f64548635ccb941c9bec87a04f851d
SHA1 hash:	9a2929f81d62fe1b5234c8bef6f80db767b7a5f7
MD5 hash:	176229c36e7a4e9c452aa0fa8aec1d3b
humanhash:	four-cup-eighteen-florida
File name:	176229C36E7A4E9C452AA0FA8AEC1D3B.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	187'392 bytes
First seen:	2023-10-14 07:30:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fec5e3ac8231eb123a87c533e215da11 (3 x RedLineStealer)
ssdeep	3072:clmNQkFpfQBvQYdPy8fLFScwnOE8Cc1gGowCMj6XF+osAMKWxiMZYY8+BTj:wmmkPgowfQ8JCpwoeKWxiMZYY8+Bn
Threatray	37 similar samples on MalwareBazaar
TLSH	T1AA049E9270F8C4AFEA56E67B84E1893C49D9FC7807664D4B7F8C52EE09240F1A72474B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.217.246.182:443

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

176229C36E7A4E9C452AA0FA8AEC1D3B.exe

Verdict:

Malicious activity

Analysis date:

2023-10-14 07:31:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8b95e450-ea67-4144-9bdb-dbede6a8bdab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/454282/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24446.305.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dridex greyware icedid xpack

Link:

https://www.filescan.io/uploads/652a43b6853e4f06480b4e40/reports/14493351-8e17-4e1f-aa95-afe94e1e4f8b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/65d14b6a-497b-4069-bb52-38f09313fd4b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1325619

Signature

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-10 21:26:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wdhnt5zdsyf2e2e34urnzlqnmxsceux2qmh2e7fjb375i2ba3bla._file

Verdict:

malicious

RedLineStealer

3eb310f8d5efd369668424db8a545463e51dda3583a7054bdcba894c20513be9

RedLineStealer

8bbd1821868c2a806e0dcabbce2c22a5f48ea4e8ae1fe6d86f9760ebbf18b700

RedLineStealer

a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

RedLineStealer

e1c5d328eaf0228e5d1ae9bf8ef3d6bf734f88dfb411cb5afa25d15f1f023ab0

RedLineStealer

fda009c7da2fb93445472162677e113625b0aa7205aacc517f35efe8fb37fbf6

RedLineStealer

+ 27 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:6077866846 brand:microsoft discovery infostealer phishing

Link:

https://tria.ge/reports/231014-jcc9dsgf7z/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Detected potential entity reuse from brand microsoft.

Checks installed software on the system

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

7400c251ea9a157e5a99cebe1c68043b7b72ccea1a2218d0fea621132ab21f91

MD5 hash:

cc42b696f06d4a695fc0e5b3664b8f4e

SHA1 hash:

b8496398cf85966c5965dc02a06b20d0b615154c

Detections:

redline

Link:

https://www.unpac.me/results/7ef1eb02-6d89-43ea-bae7-85bf37166ce4/

Parent samples :

b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856
20f5112314033bc2cd42337ef85390363777bbfb22eab40d7fa934ce34bf71cf
4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa

SH256 hash:

b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

MD5 hash:

176229c36e7a4e9c452aa0fa8aec1d3b

SHA1 hash:

9a2929f81d62fe1b5234c8bef6f80db767b7a5f7

Link:

https://www.unpac.me/results/7ef1eb02-6d89-43ea-bae7-85bf37166ce4/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0ced9f72396/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/454282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample