MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b473aa2e24b0c9a7c0e02a56553b1cb836985caeb4f9e52403019786fe4085e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments 1

SHA256 hash:	b473aa2e24b0c9a7c0e02a56553b1cb836985caeb4f9e52403019786fe4085e3
SHA3-384 hash:	c3597cfcc1f3800fcdeae68222032bbb7b4b4715d22d91f48333329d50fcc7b4b8d6e0557cd979042cef1bb749dc849c
SHA1 hash:	b456b8efa20f10c66379dde3a23d1205f2ce20d4
MD5 hash:	4288cf37d832788814f795cbcd7d302b
humanhash:	river-music-spaghetti-snake
File name:	4288cf37d832788814f795cbcd7d302b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'588'512 bytes
First seen:	2022-01-02 01:54:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	347dfb5f021ffcf7a9785e4cb437f78d (1 x RedLineStealer)
ssdeep	24576:C5xdZGgNIfAftGyqjArAvVXwurYvFGL66mBFmcWc7+L9:k3GgNIAtGyI/vVX5YdGL6LmDc7m9
Threatray	19 similar samples on MalwareBazaar
TLSH	T1BF7533903020A64AE945B878088BA8D45F59EDA5A3C60F1F37F1FB5FD591272261BEF0
File icon (PE):
dhash icon	55b0f09ccc71b2b2 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4288cf37d832788814f795cbcd7d302b

Verdict:

Malicious activity

Analysis date:

2022-01-02 01:57:25 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/8d91bce3-8fdf-4a50-be4e-8b346a19cb57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/217048/

Detection(s):

Win.Malware.Generic-9918574-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61d10600ec6c6c14a904683e/reports/f002afe9-f104-47a0-99c8-6309fc3cd65b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4523ba7-e03b-4fe3-8702-b5d8b58af37e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/914549

Signature

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b473aa2e24b0c9a7c0e02a56553b1cb836985caeb4f9e52403019786fe4085e3/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2021-12-30 11:53:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wrz2ulrewde2pqhafjlfkoy4xa3jqxfowt46kjadaglyn7saqxrq._file

Verdict:

unknown

RedLineStealer

35d04737f87fbd1cb97d05dda7d795b419ddc767131034a0d00193b8f68f3330

RedLineStealer

3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f

RedLineStealer

6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208

RedLineStealer

7e0c2ce27546ab7f48a342034897618324bae954071754e689f590ae0a4e8a3f

RedLineStealer

8385eb7b18a881dcfdb87406a92c19b5b39676f5de60859a4a4034cf91e21c6d

RedLineStealer

8393c3c10fcfaad79ef8ae38575d1b26aa2d3ae45fb6ed47b4f506f7abda6b1b

RedLineStealer

d68d7178b780c1d80256fe6e2b42659f22c3c24f11280a4eb488a06f59e044b9

RedLineStealer

e8d880461c3ab9be4842d3789e06b557ae2c5316cc486036e11d72502752b64a

RedLineStealer

+ 9 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220102-cb6e8agegl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

e488bbfb6c0ecb506e0458a1363649544280e0f57b20c07eea0adfcd98944c11

MD5 hash:

b21e047b150ff455531e46b223497079

SHA1 hash:

13698a8162b7e865f4360fb744d14089874fc4d8

Link:

https://www.unpac.me/results/32faf03b-eadc-4d22-83e3-1e6284fbcf89/

SH256 hash:

b473aa2e24b0c9a7c0e02a56553b1cb836985caeb4f9e52403019786fe4085e3

MD5 hash:

4288cf37d832788814f795cbcd7d302b

SHA1 hash:

b456b8efa20f10c66379dde3a23d1205f2ce20d4

Link:

https://www.unpac.me/results/32faf03b-eadc-4d22-83e3-1e6284fbcf89/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/b473aa2e24b0c9a7c0e02a56553b1cb836985caeb4f9e52403019786fe4085e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time