MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44
SHA3-384 hash:	9ada547779a62cc5a77a9e9e021fffd0f31981fcde34f7cf7d18422f00015d980710a0a02be80e4ef5f341cdc6c1f32b
SHA1 hash:	de2a1baf7d9e9c5e88e252ed9bfa4a26e399c846
MD5 hash:	29db3998112f292634599815b671a530
humanhash:	whiskey-pip-december-single
File name:	29DB3998112F292634599815B671A530.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	146'916 bytes
First seen:	2023-11-13 16:30:23 UTC
Last seen:	2023-11-13 19:04:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eb2b10ba375bf2e968fe526cfac1a5b4 (1 x RedLineStealer)
ssdeep	1536:XyAdodbwXPx9qljyK+UvD24gZaOJ3FwwDK8ku4gA/7n1dlOPAD8uloj644v:bgjyK+GDEa22wjAhsAQuOjh4v
Threatray	52 similar samples on MalwareBazaar
TLSH	T14FE3BF06F1811816FAC6AB31396094501DA9F169DD6E02B93BC4D03D76EFFA380BD57B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
23.88.32.230:443

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/458355/

Detection(s):

PUA.Win.Packer.Ep-7

PUA.Win.Packer.Embedpe-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware icedid pandora ransomware

Link:

https://www.filescan.io/uploads/65524f46993fbf888b73fbd4/reports/64ae1577-6555-4957-8763-f38f1cdfae68/overview

Verdict:

Malicious

Labled as:

Ser.Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/97303698-cc74-4180-b562-b6d354f33399

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1341805

Signature

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-11-10 02:21:00 UTC

File Type:

PE (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xixjzhzty7lemlvzkhakv7nkkqm6lcgl6faschrpve5xig7lxnca._file

Verdict:

malicious

RedLineStealer

3eb310f8d5efd369668424db8a545463e51dda3583a7054bdcba894c20513be9

RedLineStealer

5a5a392f1ac3ed032255fb484266319c42da2468bd0e1fbf7ec74ef39d5e17af

RedLineStealer

8bbd1821868c2a806e0dcabbce2c22a5f48ea4e8ae1fe6d86f9760ebbf18b700

RedLineStealer

a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

RedLineStealer

aa23c8b6468593d23f9e186b7d377a6136a2cd6cf6ebe7e927101b36fe9bf22b

RedLineStealer

ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44

RedLineStealer

df4138a66646a5635fcb28efd5b0e7a8df86a67b77e9105516b83cca0233c34a

RedLineStealer

ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee

RedLineStealer

+ 42 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:6699398393 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/231113-t1cymsdh3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

bf1e56b7b89b8ba1858946e8bf67eb9c47ad601ce8760ae1904892daeb88f60a

MD5 hash:

47ed04207e497014e972c8e150b1ddef

SHA1 hash:

3d228c9c617d80429f61a716f534c1586e2192ee

Detections:

redline

Link:

https://www.unpac.me/results/70174060-7a2b-4053-8595-e278418caa9b/

SH256 hash:

ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44

MD5 hash:

29db3998112f292634599815b671a530

SHA1 hash:

de2a1baf7d9e9c5e88e252ed9bfa4a26e399c846

Link:

https://www.unpac.me/results/70174060-7a2b-4053-8595-e278418caa9b/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ba2e9c9f33c7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/458355/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample