MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
SHA3-384 hash: 76a06c7c32d8dbc7c7b173883110de080fcad31b8473b727c23e80176056e26a3abbd3f9b7d4bccbba3c648bff51b7d7
SHA1 hash: 9adb6dddb68cd7e116da9392e7ee63a8fa394495
MD5 hash: 901a623dbccaa22525373cd36195ee14
humanhash: uniform-potato-charlie-emma
File name:901a623dbccaa22525373cd36195ee14
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:644'096 bytes
First seen:2024-06-24 16:23:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y
Threatray 2'117 similar samples on MalwareBazaar
TLSH T19BD4BDC3A81DEB18D8DB543DBC6B84B229A7FCFF516016246949FE3764341D12EEE809
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 86d23392e82f968c (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer UPX

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec.exe
Verdict:
Malicious activity
Analysis date:
2024-06-24 16:25:14 UTC
Tags:
stealer redline lefthook meta metastealer evasion
Link:
https://app.any.run/tasks/2773057b-0d0e-4a75-b9dd-d116c6ef6f58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.AutoIt.1410.19502.29121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66799d7cff0cdfb06de5f4b9win7simulatehigh_evasion
Tags:
Generic Stealth Gpcx
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
AutoIt lolbin microsoft_visual_cc packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66799d80eae3878d8f3b1df3/reports/d5ffaed9-a8fe-46c1-a106-78649b86b44f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/006d83b4-be8d-46e7-8752-b78d0cb10a9f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1461860
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-06-24 10:18:56 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxrfbkkqoo257yz7m3atzse5ud6i2oxse3s67mdlxd6p3gsm23wa._file
Verdict:
malicious
Similar samples:
00971cb6265f2b6ec80830e5bd41ed8f6df0102fd99fdc23f7dfef3d2a28ac46
RedLineStealer
2578bd03e9d698423447e27c275d1081dc1e2be8d194d93e59a57a09100adcc1
RedLineStealer
5838e398d16703ff8378790d976e73661a39ce6b37641226ea57751daa0cde70
RedLineStealer
74e037d694a7adf03ae1cae2e10848338248d79b0b95b91af6f2e372080c9168
RedLineStealer
84aef578827eb8076c2644c14b34ce633b2c8f0d6e3a3c97ca97ddfc73ae7caf
RedLineStealer
+ 2'107 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:wordfile infostealer rat spyware trojan upx
Link:
https://tria.ge/reports/240624-tvtdfavdjp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
UPX packed file
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
185.38.142.10:7474
Unpacked files
SH256 hash:
6d62a0958a7574ba2ad7dce6199bbd1520afd23fea2183dc031b234e5fc66698
MD5 hash:
6bd0efca19c8a21373008dd422aaf39b
SHA1 hash:
c81af8840eccf6a7b5354046ace6e1a4a77b487f
Detections:
MALWARE_Win_RedLine
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
RedLine_a
Create hunting rule
Link:
https://www.unpac.me/results/f79d0031-422c-4bc0-9115-b1ee850575a5/
Parent samples :
b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
f35b64d832d85766d915d2aaba9bf5f32be38e24c132543cce25db154c287f8b
a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36
6d62a0958a7574ba2ad7dce6199bbd1520afd23fea2183dc031b234e5fc66698
SH256 hash:
74979d28286502cbef949b1c3be4bb935d2010c591a61704c95ee7a320d71722
MD5 hash:
1a93b9e2a3aad143ac4fc2c1b3de1eb2
SHA1 hash:
2ad63b585d5e533ba3d6b1114d751ab2ba3fb6ed
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/f79d0031-422c-4bc0-9115-b1ee850575a5/
SH256 hash:
b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
MD5 hash:
901a623dbccaa22525373cd36195ee14
SHA1 hash:
9adb6dddb68cd7e116da9392e7ee63a8fa394495
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/f79d0031-422c-4bc0-9115-b1ee850575a5/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5e250a95073/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021
Create hunting rule
Author:BlackBerry Threat Research Team
Description:Detects Unobfuscated RedLine Infostealer Executables (.NET)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_15ee6903
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_4df4bcb6
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f07b3cb4
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2904292/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments


Avatar
zbet commented on 2024-06-24 16:23:02 UTC

url : hxxps://universalmovies.top/ExtExport2.exe