MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001
SHA3-384 hash: 4d55934eed3fe385204f4f2c9931b8a1b395aa7d6b2dc2b16d5b65d42e9e87ddf80d50bb4847f1ac1395d594ed37cfbc
SHA1 hash: 7f7d5a2bfe634ef30bdd4c1f84af7283234a52b0
MD5 hash: 47b5d25889674d95905aab2d241e00d7
humanhash: florida-paris-uncle-item
File name:47b5d25889674d95905aab2d241e00d7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:584'704 bytes
First seen:2023-08-10 06:27:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:a/kYWZCssXMypqpC734Dgv+5oq3tDiuS6vtG5ix:acYWm8ypqeOVLtWh6vtG5s
Threatray 245 similar samples on MalwareBazaar
TLSH T1BEC49B22B7A4CF26E39307BBD6535B8202281C497741EC319AE648FD8595EF9CDCE193
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8a116d8d8d6d118a (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47b5d25889674d95905aab2d241e00d7.exe
Verdict:
Malicious activity
Analysis date:
2023-08-10 06:33:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2708c74a-db89-4e75-8276-7e343bb6adc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441897/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60031.17506.21214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a window
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ClipBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84504df0-7ff3-4a14-90f3-9d1f0a12c819
Result
Threat name:
Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
spre.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1289210
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289210 Sample: O7ajZbCUYN.exe Startdate: 10/08/2023 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Antivirus detection for dropped file 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 7 other signatures 2->34 7 O7ajZbCUYN.exe 3 2->7         started        10 forum.exe.exe 3 2->10         started        process3 signatures4 36 Bypasses PowerShell execution policy 7->36 38 Injects a PE file into a foreign processes 7->38 12 powershell.exe 13 7->12         started        16 O7ajZbCUYN.exe 2 7->16         started        18 powershell.exe 12 10->18         started        20 forum.exe.exe 2 10->20         started        process5 file6 26 C:\Users\user\AppData\...\forum.exe.exe, PE32 12->26 dropped 40 Drops PE files to the startup folder 12->40 42 Powershell drops PE file 12->42 22 conhost.exe 12->22         started        24 conhost.exe 18->24         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-08-09 05:36:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynemg522asa2u2zffx3apeqzwvqx76hcdmxbhr7sgbuevgysaaaq._file
Verdict:
malicious
Similar samples:
12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7
RedLineStealer
2f5d5ebb1081dde3e9314ebbc61466f3686361d356f881533725d6fbf0002aa8
RedLineStealer
34cd4efd5b358e557b88e0cc4a3bb16019664d074ee0c9b895ad49c44b2ce2da
RedLineStealer
7ce7eb7e7253f514a68eb5e5c6e8690722bea15384f5f58202394b6a74f785dd
RedLineStealer
7d6bc9c488ef81546e89c929a34e3d067ff083599c80edad38987fd0771cfe4a
RedLineStealer
8776ab0754e874c4850f80bd4b455ee1f55c3be6e44d307edfd3b1efa58d257b
RedLineStealer
aa0f96be29bd7888fdbd195fb56e741aad5f13b9a1df4a7e74a085924240f597
RedLineStealer
c3605d9a7e5cd2f57b09f4e5721b9817df3803e113d10cf8a70859cb73d02e3d
RedLineStealer
c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7
RedLineStealer
e09931997c18281c3a4cb81710b11a2924ed9617e60106fccdc2d6564b81e40e
RedLineStealer
+ 235 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230810-g8clmacd2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/a551c50b-71a9-440c-80ec-dc31e5be257b/
SH256 hash:
0b9838ebe4be87a56040ed63a50c8ed16442ffe5580f0bf4e6526462cc8053dd
MD5 hash:
23d2f8c099634ce7a799d5cc450639ad
SHA1 hash:
15d7a3fae12e3ec4182eef75e2b01a13a3842392
Link:
https://www.unpac.me/results/a551c50b-71a9-440c-80ec-dc31e5be257b/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/a551c50b-71a9-440c-80ec-dc31e5be257b/
SH256 hash:
c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001
MD5 hash:
47b5d25889674d95905aab2d241e00d7
SHA1 hash:
7f7d5a2bfe634ef30bdd4c1f84af7283234a52b0
Link:
https://www.unpac.me/results/a551c50b-71a9-440c-80ec-dc31e5be257b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c348c3775a0481aa6b252df6079219b5617ff8e21b2e13c7f230684a9b120001

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2690743/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441897/

Comments