MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db
SHA3-384 hash: 2f9e594cb9c3d846f0299e9e946db4fdd7568bb91094ce9403d1c13e0a8aa0e6a10f7ae500d7b660c5ce7a848ce1351a
SHA1 hash: c91f516d5edf7f4d88e8d0d22ad9f454240a1fc5
MD5 hash: 4fda10dd689cf07faf7ccad6eeb5b8b3
humanhash: nebraska-connecticut-magazine-magnesium
File name:4fda10dd689cf07faf7ccad6eeb5b8b3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:139'776 bytes
First seen:2023-05-14 02:10:30 UTC
Last seen:2023-05-20 11:06:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:ZDBWgzc6p4x9s9BB3Sm1xRCh4V5KbVb7d1jpUsYgibfbFDKsRo:ZYgzc6p4oTLDQ43+xB1jpVYgafJlo
Threatray 482 similar samples on MalwareBazaar
TLSH T1E0D33AD973886A9ECC6E897094750C28C7F0A0576207E347AD47F4EB6E1DBC29F191E2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 30e4c0d8b686e464 (27 x RedLineStealer, 2 x N-W0rm)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
84.54.50.26:41866

Intelligence

File Origin
# of uploads :
2
# of downloads :
521
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4fda10dd689cf07faf7ccad6eeb5b8b3.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 02:13:38 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/1c921dde-e1df-47a6-8f42-dc4bc11a62b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389288/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.26869.23189.28125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex packed packed
Link:
https://www.filescan.io/uploads/64604337ad8185420f897fd7/reports/aac2ef9d-717c-48b9-884f-5a5d0b3c009f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4427443-11b4-4caa-8e3d-71a604ec212d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232491
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-14 03:01:29 UTC
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xal2qrwcs5i5em6kpipppcbm4ixrhz5gb2n7gzghz52kfjvtsdnq._file
Verdict:
malicious
Similar samples:
1d6f12232ac800688291e8e19c2c8b5fbf8802e9bc1a2a3baac9784a6456e902
RedLineStealer
45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81
RedLineStealer
514d7fdb59eb0225a784836750ff0d7f565cc8fc45a1417640e4d6dea3cd2cdf
RedLineStealer
686ccd58ec8dac51b7761795b220121ff120a841fab978f0f4405da6d36934c8
RedLineStealer
72dc7b41e8958e28b7b715edb7b6d0d12962c8c492eb856db5d2659df5472b52
RedLineStealer
9dd8c473f15d8ea5808f671bcc6474a05210f7c8e6c3f51933421a94d29ad93c
RedLineStealer
9fb7c1285a5e3bdf3aeb2f9c29a608ed8bd30f8c6321969b531194fd06cb5014
RedLineStealer
c8874fba9d75b6123dd36ac6b5f5b070cf9cac892b25d5e457c044d550f83a7f
RedLineStealer
ec2bad11a9aa677657484e1d0d4033f6cec7db242b9ac691666404d51d95497f
RedLineStealer
ee3420104dd6e2eb1e067d837aa5ba5bbe2a0ae789d7760600c3fec106c34750
RedLineStealer
+ 472 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230514-cl9wdsad45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db
MD5 hash:
4fda10dd689cf07faf7ccad6eeb5b8b3
SHA1 hash:
c91f516d5edf7f4d88e8d0d22ad9f454240a1fc5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/57ec7e44-8ae0-4930-9f96-5936944576df/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b817a846c297/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2631570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389288/

Comments