MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f
SHA3-384 hash: b8fb8d8b6f513f1c3cc10cfeed2cad6f84e41fe9a70f7694ef6c071f63f5f6b544f8ac1af0a57431dfc7e8d362dfbeda
SHA1 hash: 09a6ea0c1155917d33206ac5d790b978fbfe8e40
MD5 hash: dec2ec2965d3fe574bf4001f68425946
humanhash: alanine-saturn-hot-rugby
File name:MS Office KEYGEN.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'851'864 bytes
First seen:2022-02-17 19:20:42 UTC
Last seen:2022-02-17 20:54:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dfec469ff9e19f9df882decc3c09398f (45 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep 98304:4J4JNPLiIDT0p2da3yj2oakvkFI7QygBTZ4WlNaLyScv+1xZJ:o4fL3VdaijdaKkFKQyu8LyScexz
Threatray 1'334 similar samples on MalwareBazaar
TLSH T1BD2633BB79C8BA0AE5090B7DB01B8D93580115FD34CFC8ADB534E7929CB1B219B60D76
Reporter adm1n_usa32
Tags:exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MS Office KEYGEN.exe
Verdict:
Malicious activity
Analysis date:
2022-02-17 19:19:52 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/3bebcfc8-23d5-4d8f-b164-80fa5552801a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242383/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/620ea023a2660f3bb9f39e2b/reports/b5178d32-31c5-4222-b987-97a5b716761f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccdcc72f-18fb-4a74-81ce-3812dea92d22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-17 19:21:14 UTC
File Type:
PE (Exe)
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wscdfv7b6tga5qcyqnfy4udygy2l4r5mvrqy67pmbytr2q772yhq._file
Verdict:
malicious
Similar samples:
0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5
RedLineStealer
1fbb53922880c53aff6c82545ab91811f4f0a3ea30c60b417c7980c8a9434d8c
RedLineStealer
24fe35fea083b89f0cc62ef8b9df0de29395be57b0ee1b160229d667785b6bf0
RedLineStealer
2611cbdb42c4bcff5f9d1027c2b72e38ac6dd5fc76712ebd7d56d833077072ff
RedLineStealer
479e5e3f4b38759f6a9b5f16565ce5e416ca3609f6b138b87ae2ac3740edac5c
RedLineStealer
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
RedLineStealer
5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3
RedLineStealer
93976cb0c0ed15a2e61a2bb20e6d5394c64e756d7c5f56bdc5e6ed8221210c55
RedLineStealer
f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2
RedLineStealer
+ 1'324 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220217-x2m2sadee3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
c9f67b6a0725faede193df0eb72dbc97b4e3f2e8d7aa053c31f520cdf3f2e8cc
MD5 hash:
ab55972b4e6a78b576134cb96420d581
SHA1 hash:
acd2a37f2956f43f74ff99055b4f247d7aa6d23f
Link:
https://www.unpac.me/results/1a0cfb7b-2d1a-47b7-a51e-969294772259/
SH256 hash:
b507a7afbd101044bcaf027e9574aec80367dcd803fb66960074dae20f6b3787
MD5 hash:
b7543d5fda76177f2fa04be40cd44074
SHA1 hash:
1b29531add5dde370e6e461021ad034021d504ff
Link:
https://www.unpac.me/results/1a0cfb7b-2d1a-47b7-a51e-969294772259/
SH256 hash:
b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f
MD5 hash:
dec2ec2965d3fe574bf4001f68425946
SHA1 hash:
09a6ea0c1155917d33206ac5d790b978fbfe8e40
Link:
https://www.unpac.me/results/1a0cfb7b-2d1a-47b7-a51e-969294772259/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b48432d7e1f4cc0ec058834b8e50783634be47acac618f7dec0e271d43ffd60f

(this sample)

anyrun
any.run
https://app.any.run/tasks/3bebcfc8-23d5-4d8f-b164-80fa5552801a
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242383/

Comments