MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
SHA3-384 hash: 448aa25807e095461006f08717d3753416dc3f3d9b20be7380fa3e109675d31f503c630007e6c818432c0695f28e3726
SHA1 hash: 5fda11fae4f985bd576f29ff3a1f07723db422b2
MD5 hash: 6ca8962e972e9e1ffe05ba0fe826fc1c
humanhash: speaker-hot-california-coffee
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:502'272 bytes
First seen:2023-10-28 01:25:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84e31d32a2cb7830e40cfcbea395c7a1 (6 x RedLineStealer)
ssdeep 12288:1iQBJ9sO39Wf2xl7B6mb4X8UmUUWG/avHo7Zv:T9j39WOknG0Ho7Zv
Threatray 524 similar samples on MalwareBazaar
TLSH T127B44B958583C0B2CE981E7E7DD83AE04FA12C3419E13DC7AEC9F98139B7565736092B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
New Text Document.exe.zip
Verdict:
Malicious activity
Analysis date:
2023-10-28 16:29:31 UTC
Tags:
opendir loader stealc stealer sinkhole miner rat asyncrat remote amadey botnet trojan teamspy formbook spyware
Link:
https://app.any.run/tasks/da50c2f5-78b4-43cd-9e5b-d815505e1057

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456808/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7670.24082.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/653c63306be5439aa5cd5e4f/reports/5ad9e94e-c545-445d-8abc-bfd4fb4e7844/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dba3d0da-2fe6-493c-b469-8d702f784907
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1333605
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-27 22:56:54 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbxmvget4pc6a7w6objblany6dk3glalnq4uasq62mazktvwoh3q._file
Verdict:
malicious
Similar samples:
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab
RedLineStealer
69b3cec83a51a5142d2f03856347bfe454e79c785e0b6425c0bcd632edf94a3f
RedLineStealer
8bf4003e54f6b55b62e429cf90e78491c109497a50c5d4e6a8afd07f0600ba43
RedLineStealer
90e574804204b26a7a56a54d56f44660131015bd4f4dbd58e42717634cc442ae
RedLineStealer
9b05dd809ce00e1f1e9c79cd9216de50322ec66df8b3f50ce3e36b31266439c3
RedLineStealer
a23543464a64fea0ed91623e16dc9631a2274c4a4f929a04eacf149590c6c448
RedLineStealer
a5ce453acbb267f103b58c5ca71458e2f803376a6cd38f29f91044be00ab669d
RedLineStealer
b3ed17e2febaa1202df3dcefaad1a086155d0008f9ee5037b6804889997078b1
RedLineStealer
d66922b28048229f0d1700f944e7b94e282f99d838524e6a8f85f6bdee8c3424
RedLineStealer
e0f8898a3b8a28586efe65e9afa0c08e252d3b41f1380ebbb93d3226dc5eae34
RedLineStealer
+ 514 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/231028-btjhqscb3z/
Behaviour
RedLine
RedLine payload
Unpacked files
SH256 hash:
90a9a9849f92ea3833f8255ee4e5e99a3c7ab0be5096f67a2b8432afade7e901
MD5 hash:
143c57a2fbf1ccc1766679f4c26ef58d
SHA1 hash:
2de3e21b3a02a8acdd003a470b6b0c9249dfb528
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dcff18de-70e4-40ac-a38b-455eeb4ca435/
Parent samples :
4764b12d77cf75edd197f0b9de892a39a4024d6dd595f60b50afbf72850f7306
b3ed17e2febaa1202df3dcefaad1a086155d0008f9ee5037b6804889997078b1
cc7bcdfee502f5cc0c042b3a97ef737afa5cccb46a2dadaa02bcf74faf6fd8ac
e298f86eab0e2f44603b7640af6f89269dd2e00115e778f3d2e6bddde0a5f39c
05005e88eefea5ab3e7cbd83ae7652bd9252412cfe1dcd4cf3243a84110444e7
e08da1e1ee8b136cb4bd34f7f014816d628e2f5212077112a1a4c9bd3a2078cd
9481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
af54a35dd3ce3d2584bcc29d858664b3fc7304f0996d7bf07f6ae95e75c5e698
7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
bd40ae0f9a2ee01b7156fb13219c0163738c64084eb5eba7ad69346918876c48
514e2e15b07d9a29270781043a5aea8eb289fcf952355972c18b1eb256cadbb6
7c7d8541766ddad17d9735ed7183d3d7e3433ea580258ed89f465fc8e91d3b82
45b6def20feedd1394fbf0c6c8884932836b315bd8acf4c03808f293628a1ca0
677aea100247ff0f83128c3355de1cfbf24d176ba28d27b489e9b07ff17e65d1
564b0cb8a13964bc87dff7d5fb34b7d7dccf92ea2f89d3b9bb84fb13d5a2850c
a3ec0982ce08855c2c47a8246d2cd18bba731c3318dde3557c48677487735125
ebdf1ba0807f3f5053830d8c3cf663cfd0d4c01b30c7b3bb01169f4a89d6a7b2
5594aee8f2d40cc0a24ee191010f823be73524e947ffd2b7f6e3e37b18fc9220
f15baee0f06e5af8b5895b57578c1c15649d95ade9e80d6a06c0ebdc57159e59
84468bfdcb264e3eca47a0c5a803fbd5156a75166b40bba97e55c9282f42988e
f9056423f67ae129475439f61196d0984078f779d819b2af21c33ca45aea3fa9
90522e6a880f6a97719035e3945da1c0c0384f154cf631732ea16a3a9f827b7c
5d50a1577ee0791e7aba6bf8e679b4795d533a3daa54177ce8a0ec25cc8d3df2
41352e9771b906b5913a9e6a9ecd3fe423bc3e91993a5373a67f7226a6eb6abf
117332feb820bbd8d10177720dae9736c7f62dd2fcc5b9518eed427f90af6524
3fadc1de1c8c15a141869be86b1afc68624dfec81775878cd784e59a108a071e
8bf4003e54f6b55b62e429cf90e78491c109497a50c5d4e6a8afd07f0600ba43
7ab74f07884f3083ebf82cb7c516f9f8a9ffb5e4b6d8b160f1be4722764bf8d5
e658a5b736828e06a859fe0cd526310e7b89a2ede6f81929249d91521343505f
511200316cb76da22104be6e9fa680130d547e83b2b00c062da4719f441df3f6
a644828e65e177886a9afc6e25e697b972a2dc92ec53762467a0628c214e6d54
e7265bde62bf6e3ac1823bdca2a6cadd062331558ee13465dc4813ebe47860a2
3f9c5c35a9b26d717aaebefd7b8eb13cea876b7f561c247a49715307faa47ca4
e0f8898a3b8a28586efe65e9afa0c08e252d3b41f1380ebbb93d3226dc5eae34
886453383c7e3a0b520ca655c4f8050c3843bd8d62c5d8a97f9d0dc783b36922
90f8d3b0a8ab79a3c28d287141d6c9fc433bd076906a75098cf2ef9efd339139
8ef6983e75e758988bc62f41114df351aeaae8312103e2bfb3d828a129bbceb4
84e902f84f695d1c9c627dcdd8ba449e5b330d04b578c1698c2d7f636a1b6e59
3149863855e7996faceab6f072aa7f568859fdc81e1ce2838ad465d858eef6ee
19a5970b745f76201f5d67ea465fb8256defa0264337f08713bdfd2818f9c2b7
5066186c53f71a9bfddbcba3813e209f31a42a2b92d93a2b1dcf0599ef98f357
acde06290e2fe885833a64a603eb08efe77fd83f2c9f086211b40a10287e18a0
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
SH256 hash:
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7
MD5 hash:
6ca8962e972e9e1ffe05ba0fe826fc1c
SHA1 hash:
5fda11fae4f985bd576f29ff3a1f07723db422b2
Link:
https://www.unpac.me/results/dcff18de-70e4-40ac-a38b-455eeb4ca435/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2722933/
Cape
Cape
https://www.capesandbox.com/analysis/456808/

Comments