MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900
SHA3-384 hash:	24e4776a76fc3f03a13cf600f93d29e63d4b61e663a23fcf0e52a22a6e15a2cb6fd7e5be68016cbf46789d0f66b2144d
SHA1 hash:	8983310a112763c2692daca276d649757aa2ed7d
MD5 hash:	4bc1bd277770c8da36c5d31968a0e977
humanhash:	illinois-october-sierra-fish
File name:	4bc1bd277770c8da36c5d31968a0e977
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	6'366'720 bytes
First seen:	2023-12-13 16:59:39 UTC
Last seen:	2023-12-13 18:17:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5929190c8765f5bc37b052ab5c6c53e7 (74 x LummaStealer, 14 x RedLineStealer, 8 x Stealc)
ssdeep	98304:hIAXS/l+HHb7QICgF3EqF6DnCmE3or8r1:8l+HHbhCgF0qFqE7
TLSH	T122564987FC9141E4C0AAE33589669293BA717C480F2027D72B50FF692F76BD06EB9354
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	7171694d4d697171 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	64 exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

360

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN smoke

Malware family:

smoke

Alert

Create hunting rule

ID:

1

File name:

447ce13d52d10211f7d777a8b7e1bfc7.exe

Verdict:

Malicious activity

Analysis date:

2023-12-13 18:36:02 UTC

Tags:

loader smoke smokeloader stealer stealc redline

Link:

https://app.any.run/tasks/f923d38c-587b-4474-827a-3d4a9d97cc10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467307/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.20617.25263.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Dragonfly

Gathering data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

anti-debug expand installer lolbin

Link:

https://www.filescan.io/uploads/6579e32018cffa73b1e4a60f/reports/b1f3c8a4-22ec-45f8-bd3b-09d565a805fe/overview

Hybrid Analysis WinGo/TrojanDropper.Agent

Verdict:

Malicious

Labled as:

WinGo/TrojanDropper.Agent

Link:

https://www.hybrid-analysis.com/sample/b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/05d10c2e-37a9-409d-ae8c-6f2694a64dc0

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361634

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

97%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900/

ReversingLabs TitaniumCloud Win64.Trojan.Smokeloader

Threat name:

Win64.Trojan.Smokeloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-13 14:34:33 UTC

File Type:

PE+ (Exe)

Extracted files:

2

AV detection:

17 of 36 (47.22%)

Threat level:

  5/5

Spamhaus Hash Blocklist

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wxfbhnveqc5so276erak4ct5rfqdtzome4v425f7sicnhnerteaa._file

Threatray unknown

Verdict:

unknown

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  6/10

Tags:

spyware

Link:

https://tria.ge/reports/231213-vhyytsfddr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

UnpacMe

Unpacked files

SH256 hash:

b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900

MD5 hash:

4bc1bd277770c8da36c5d31968a0e977

SHA1 hash:

8983310a112763c2692daca276d649757aa2ed7d

Link:

https://www.unpac.me/results/6d3fddc2-6b3a-406c-bed5-e9a9d7fcd967/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b5ca13b6a480/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe b5ca13b6a480bb276bfe2440ae0a7d896039e5cc272bcd74bf9204d3b4919900

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/467307/

  

URLhaus

https://urlhaus.abuse.ch/url/2740311/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-13 16:59:41 UTC

url : hxxp://193.233.132.59/BEST-13-12-2023v1.exe