MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387
SHA3-384 hash: fdacbb8daa362bd4d1f7b659fd42d423c9db831d8d7f9a39fb7e80b8226e258cd629ba22f8eeaba6d60083c3a7d4ee39
SHA1 hash: 2d892b1de088baed8ae4df89536b7e197ea7d83e
MD5 hash: b34d7dcf2fd1a08025934b2b3b60c4d3
humanhash: nuts-echo-vermont-oregon
File name:Payment_Advice_HSBC_Swift_Copy.pdf.lnk
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'800 bytes
First seen:2024-11-29 09:10:15 UTC
Last seen:2024-12-12 14:25:17 UTC
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8oa6y3llaA8Vo9blfxG6mvXwh+TQLr3HAeDBl/nalfHovEWdnCIZa:8oSKVgfG6mvwcQLjHAtlot9C2
Threatray 3'609 similar samples on MalwareBazaar
TLSH T14F719E1067E90308F5B39F76ADFEB6118876BDA2EC21DB9D0041524C15A1A40E9B6F3B
Magika lnk
Reporter abuse_ch
Tags:emptyservices-xyz HSBC lnk RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674986a204c232bff3b4a068
Tags:
autorun gumen
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper evasive masquerade powershell
Link:
https://www.filescan.io/uploads/6749852ab0c1f225b44a4b82/reports/cba39f60-965b-4de8-aefa-c896b385fd9e/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.864.D823CAC8;BZC.PZQ.Boxter.970
Link:
https://www.hybrid-analysis.com/sample/b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565108
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565108 Sample: Payment_Advice_HSBC_Swift_C... Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 36 emptyservices.xyz 2->36 38 remisat.com.uy 2->38 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 18 other signatures 2->64 8 powershell.exe 14 21 2->8         started        13 wscript.exe 1 2->13         started        signatures3 62 Performs DNS queries to domains with low reputation 36->62 process4 dnsIp5 40 emptyservices.xyz 209.126.80.197, 443, 49705 CDMUS United States 8->40 34 C:\Users\user\AppData\Local\...\tmp7C8B.tmp, PE32 8->34 dropped 72 Found many strings related to Crypto-Wallets (likely being stolen) 8->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 8->74 76 Powershell drops PE file 8->76 15 tmp7C8B.tmp 15 4 8->15         started        20 conhost.exe 1 8->20         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->78 22 ByteLength.exe 14 2 13->22         started        file6 signatures7 process8 dnsIp9 44 remisat.com.uy 192.254.232.209, 443, 49706, 49714 UNIFIEDLAYER-AS-1US United States 15->44 30 C:\Users\user\AppData\...\ByteLength.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\...\ByteLength.vbs, ASCII 15->32 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->46 48 Machine Learning detection for dropped file 15->48 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->50 54 2 other signatures 15->54 24 tmp7C8B.tmp 5 3 15->24         started        52 Injects a PE file into a foreign processes 22->52 28 ByteLength.exe 22->28         started        file10 signatures11 process12 dnsIp13 42 41.216.183.218, 1912, 49707, 49715 AS40676US South Africa 24->42 66 Found many strings related to Crypto-Wallets (likely being stolen) 28->66 68 Tries to harvest and steal browser information (history, passwords, etc) 28->68 70 Tries to steal Crypto Currency Wallets 28->70 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-11-29 05:30:22 UTC
File Type:
Binary
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wselt4u4xcexugcuzipmf2kdzgnlm4skqjn75x2uqxyupptksodq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab0
RedLineStealer
2f05df98b8de8af85942d15c1c7d434ee62be3e3662c551a0e14d29c9531c1cc
RedLineStealer
5669998000fdc457a919dea600b100809d0bb5681cbca6a67b544307233b5915
RedLineStealer
85e9c6278c99a25f02eb16d17b9243cc4b00dcc61553fb68e837c0401ffc1278
RedLineStealer
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
RedLineStealer
ac26ed94e0649909fae11bfcb2dc1b1a2473df633acd5520fec96c4e1dc76ac9
RedLineStealer
b49dbf4ccc6fcc620965e1f38df9f0253c48004b44dd4f7d57f732c057469253
RedLineStealer
c3cff5741919b145dc55c678febd01b98d0f9f491b8384ad0fcbdfe38826bd30
RedLineStealer
error
RedLineStealer
+ 3'599 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheat discovery execution infostealer spyware stealer
Link:
https://tria.ge/reports/241129-k5la5sxkd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
41.216.183.218:1912
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments