MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc
SHA3-384 hash: be5942e32fffc90cf8ce0cca406ff0bc5c2e989db62a1814c0c5da5e85d6f3e3aadca3a80cb9c961706856048ad77d7f
SHA1 hash: 948b8a0a70da414ada34cadcf06d1c5d1941649b
MD5 hash: a5dac566745c199a3e0d2358c53a8d66
humanhash: river-triple-edward-august
File name:a5dac566745c199a3e0d2358c53a8d66.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'776 bytes
First seen:2021-10-18 20:12:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:a5oaqjp/9T6QYXDKWPJZso//Ol8VlfylFUnR:a5v4DT6Jh//u8VlQE
Threatray 1'671 similar samples on MalwareBazaar
TLSH T102A4F05AA2E51098DAF441F7D9620746E73034791B25A3DB1BB813B70B2B9C99F3D3C4
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198307/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
diztakun packed
Link:
https://www.filescan.io/uploads/616dd552db358dd15ec0bf0a/reports/da94f589-208f-4fb8-9ca7-c027ad16cb31/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/025329ce-45f5-41c5-87b6-4891ddf7b4cc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/872644
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505072 Sample: PIWVjhXPs3.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 45 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected BatToExe compiled binary 2->34 7 PIWVjhXPs3.exe 9 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->24 dropped 10 cmd.exe 3 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 extd.exe 1 10->14         started        17 extd.exe 2 10->17         started        20 extd.exe 2 10->20         started        22 extd.exe 1 10->22         started        dnsIp7 36 Multi AV Scanner detection for dropped file 14->36 26 cdn.discordapp.com 162.159.129.233, 443, 49713 CLOUDFLARENETUS United States 17->26 28 192.168.2.1 unknown unknown 17->28 30 162.159.130.233, 443, 49718 CLOUDFLARENETUS United States 20->30 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 15:59:58 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjmwejzt6wafsluaprchkfidcsnfj4iewwj3bf664dlm3hrrjpga._file
Verdict:
malicious
Similar samples:
01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
RedLineStealer
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba
RedLineStealer
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
RedLineStealer
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
RedLineStealer
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 1'661 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/211018-yze4tseeg7/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Unpacked files
SH256 hash:
ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc
MD5 hash:
a5dac566745c199a3e0d2358c53a8d66
SHA1 hash:
948b8a0a70da414ada34cadcf06d1c5d1941649b
Link:
https://www.unpac.me/results/a0dad5ef-b04b-4624-9586-9db1365435c4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ba59622733f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642816/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198307/

Comments