MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3
SHA3-384 hash: ad846c785ceb0259e4c585f10963585dc7ed067d0af87d1c835d08a77a9325da9a7f41fa926351b64b72827aab113e84
SHA1 hash: 5af998d9d3ca5cffaa35b9f615a67ff237c036d3
MD5 hash: 9698781475f1b54ad3b12be8112002de
humanhash: utah-bulldog-oxygen-winner
File name:SecuriteInfo.com.Trojan.PWS.RedLineNET.6.663.28425
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:517'192 bytes
First seen:2023-10-21 11:49:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb8b51bfd9f71c7452726205f579a090 (11 x RedLineStealer)
ssdeep 12288:/kdZmL+3gTOhc5qf5IsEV1JtYbXwrS+GzZFVy9pUcuP+VRxL:s4LgQ5rdV1sjgL
Threatray 401 similar samples on MalwareBazaar
TLSH T191B45C33DC4861E1D2D71C7994A98D6558F9BA6123F16CE31E6C0A4FCA363D3EF29224
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.RedLineNET.6.663.28425
Verdict:
Malicious activity
Analysis date:
2023-10-21 12:09:23 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/0b87d2ee-be57-42e9-827d-d43e79b38c3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.RedLineNET.6.663.28425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/6533baece3768e7905c4b775/reports/e1ad2c5d-fc3c-4232-a880-4fd0236cd616/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/451f82ce-1f86-4794-afc4-938240b533f5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329666
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 09:24:27 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrkkxxcydflrrfmsxxsb55mpefxduvevsyfmcyvlegtdqbevyczq._file
Verdict:
malicious
Similar samples:
45b6def20feedd1394fbf0c6c8884932836b315bd8acf4c03808f293628a1ca0
RedLineStealer
514e2e15b07d9a29270781043a5aea8eb289fcf952355972c18b1eb256cadbb6
RedLineStealer
677aea100247ff0f83128c3355de1cfbf24d176ba28d27b489e9b07ff17e65d1
RedLineStealer
7c7d8541766ddad17d9735ed7183d3d7e3433ea580258ed89f465fc8e91d3b82
RedLineStealer
7e8329ce45baad20bd1b7ce9bf6e6f1d6ea5935904130a70a275617f522fe238
RedLineStealer
9481382a3f7b57e43068571a3fbd242e48321f802b219fc09d32f76f30272ca6
RedLineStealer
9b05dd809ce00e1f1e9c79cd9216de50322ec66df8b3f50ce3e36b31266439c3
RedLineStealer
af54a35dd3ce3d2584bcc29d858664b3fc7304f0996d7bf07f6ae95e75c5e698
RedLineStealer
bd40ae0f9a2ee01b7156fb13219c0163738c64084eb5eba7ad69346918876c48
RedLineStealer
e08da1e1ee8b136cb4bd34f7f014816d628e2f5212077112a1a4c9bd3a2078cd
RedLineStealer
+ 391 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231021-nzlw9sfh85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2722687/
  
Delivery method
Distributed via web download

Comments