MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA3-384 hash:	feafe375e286c24406513c0fb61ad62e9e51f30fa40a466d45fde050bd7e91912be9f8cd0137622a585773b2c478b4ee
SHA1 hash:	ada41586d1366cf76c9a652a219a0e0562cc41af
MD5 hash:	10a331a12ca40f3293dfadfcecb8d071
humanhash:	missouri-august-minnesota-alabama
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	431'872 bytes
First seen:	2024-02-03 20:29:24 UTC
Last seen:	2024-02-19 09:18:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:jh1Fk70TnvjcL8o0S86aZ+ldnqA1W0PeF7H:5k70TrcJX32ih1Re7H
TLSH	T14094F12171C0C1B3C47B143184DACB799E6A3572176AE1CBB69C1BBA6F113E1A7352CE
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	Bitsight
Tags:	cre8ure exe RedLineStealer

Bitsight

url: http://193.233.132.167/lend/1234daisaaaaa.exe

Intelligence

File Origin

# of uploads :

# of downloads :

389

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/474422/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint overlay packed

Link:

https://www.filescan.io/uploads/65bea24d4f733f8cc1be9ab8/reports/e678d4fc-69dd-4006-b9ce-ee4670346256/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12204f04-a42a-4f93-ab84-8cc0825c61f0

Result

Threat name:

PureLog Stealer, RedLine, zgRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1386183

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-03 20:30:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwhoy3s2vpdqcqcnlnkvnsdp75omca6gt3w2aadb5a4mj4jcfchq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240203-y95ggahfd6/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

.NET Reactor proctector

Unpacked files

SH256 hash:

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

MD5 hash:

10a331a12ca40f3293dfadfcecb8d071

SHA1 hash:

ada41586d1366cf76c9a652a219a0e0562cc41af

Detections:

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/e80c5c94-192f-4d60-91f8-cb61dea9a778/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b58eec6e5aab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/