MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
SHA3-384 hash: 9d547f8a5dcd9133f13b75c92a61d94e84fb91439d13a58a81635826beafb880928e7dcf447aaed10d0d798995e95e68
SHA1 hash: 5ecbda765ea1c558ef61dc5933ab7aefc279e1b3
MD5 hash: 1f060be9fbfe90811a71414791ab8c1b
humanhash: mountain-virginia-delaware-nineteen
File name:good.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:164'352 bytes
First seen:2025-01-20 14:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:zahKyd2n31j5GWp1icKAArDZz4N9GhbkrNEkEnRI:zahOLp0yN90QEG
Threatray 132 similar samples on MalwareBazaar
TLSH T16DF38D0FA6E860B6D478837045E302C35672B971576856FF22CEED795E232F07236B4A
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Joker
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
494
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
good.exe
Verdict:
Malicious activity
Analysis date:
2025-01-20 16:58:15 UTC
Tags:
stegocampaign rhadamanthys stealer loader reverseloader payload
Link:
https://app.any.run/tasks/684f2198-a0ed-4bd8-a005-e0690330e598

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e6146e708b6e7a3adb3e6
Tags:
dropper xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Detecting VM
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB cmd evasive explorer installer lolbin microsoft_visual_cc packed powershell rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/678e5e2c7fa1f5239e169b3f/reports/ecfd4a05-750e-4071-94d8-96a03b022940/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/65427c7f-fa21-4203-b1c7-554697861511
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1595244
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1595244 Sample: good.exe Startdate: 20/01/2025 Architecture: WINDOWS Score: 100 43 s3-w.us-east-1.amazonaws.com 2->43 45 s3-1-w.amazonaws.com 2->45 47 2 other IPs or domains 2->47 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 13 other signatures 2->63 12 good.exe 1 3 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\Temp\...\fwr.vbs, ASCII 12->41 dropped 17 cmd.exe 3 2 12->17         started        process6 process7 19 wscript.exe 1 17->19         started        22 conhost.exe 17->22         started        signatures8 65 Suspicious powershell command line found 19->65 67 Wscript starts Powershell (via cmd or directly) 19->67 69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->69 71 Suspicious execution chain found 19->71 24 powershell.exe 7 19->24         started        process9 signatures10 79 Suspicious powershell command line found 24->79 81 Suspicious execution chain found 24->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 24->83 27 powershell.exe 14 23 24->27         started        31 conhost.exe 24->31         started        process11 dnsIp12 49 62.60.226.64, 49739, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 27->49 51 bitbucket.org 185.166.143.48, 443, 49737 AMAZON-02US Germany 27->51 53 s3-w.us-east-1.amazonaws.com 54.231.134.241, 443, 49738 AMAZON-02US United States 27->53 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->85 87 Writes to foreign memory regions 27->87 89 Injects a PE file into a foreign processes 27->89 91 Loading BitLocker PowerShell Module 27->91 33 RegAsm.exe 1 27->33         started        signatures13 process14 signatures15 55 Switches to a custom stack to bypass stack traces 33->55 36 fontdrvhost.exe 33->36         started        39 WerFault.exe 2 33->39         started        process16 signatures17 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->73 75 Checks if the current machine is a virtual machine (disk enumeration) 36->75 77 Switches to a custom stack to bypass stack traces 36->77
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2bbmxedsihpknyb2zw3yv4xahcaeia3rximcufh6p77kgksot6q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
02c53e42858c9c99b5aef5552972954f26885209f9bf30b825403433ff28e513
RedLineStealer
07a2cf7b2426399a5ac14c6e5d4ab3f70c3a3b426a79f0a3aacd0c309d75b698
RedLineStealer
0909cf95903c9f07651f4361b8e929c53a62162f6eaaeb11b0dd70eaef2c2784
RedLineStealer
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7
RedLineStealer
357829b06c1c185e44efa729dd8671487a43778a3be1b6f46c7956f4d4cb49e2
RedLineStealer
5227b0678f64770fbe06ac5afd7686f2f50d4b186b22012693ab9e87c0d2521f
RedLineStealer
5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a
RedLineStealer
642a7f341146d4b2a5381186ec636a8e0ce7ccc16bb730be331e51d6e65f4db3
RedLineStealer
c041e7547fc7f9dbbcde766a199fb6226309c60f76795ddfe46da698664f9311
RedLineStealer
error
RedLineStealer
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250120-rvpn5stnen/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/36b08b37-0491-425d-922a-600ff56cf99a
Unpacked files
SH256 hash:
b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd
MD5 hash:
1f060be9fbfe90811a71414791ab8c1b
SHA1 hash:
5ecbda765ea1c558ef61dc5933ab7aefc279e1b3
Link:
https://www.unpac.me/results/bb21ffa8-10c8-4db5-b661-7eecfddc1dbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b682165c83920ef53701d66dbc579701c402201b8dd0c150a7f3fff5195274fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments