MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
SHA3-384 hash: ea7077021c31c4a4a342230e589fa6f8a45349c40391d9a52089d8cf5f53be9bec4a85ea4b4b023305a2fcbaac8001e8
SHA1 hash: 89b184338bc0880d28bc32860fa278d8d87b3901
MD5 hash: 6043571a63d5cfceed629f40eb18a183
humanhash: paris-sweet-zulu-alpha
File name:6043571a63d5cfceed629f40eb18a183
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:578'048 bytes
First seen:2023-02-21 16:29:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:QMrOy90ChBWkGHdhduXFr4rpZBX1UDRe443kBumsJ:OyBWB9Cr0Tg00sJ
Threatray 5'966 similar samples on MalwareBazaar
TLSH T181C4120BBAFC4071E979177055F643C3163A3EA01A34865B238F6C5A18B26B4F6367B7
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6043571a63d5cfceed629f40eb18a183
Verdict:
Malicious activity
Analysis date:
2023-02-21 16:31:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/9cd3af2a-a726-421a-9b3d-18a04e7bcc5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368705/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71997/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll stealer
Link:
https://www.filescan.io/uploads/63f4f18ea6ba2f75a9786921/reports/99ca50b7-89a8-4b1d-a5be-ca2d3feab7be/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef8fbb72-b9cc-4a1d-961a-d165aa23b162
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179938
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812774 Sample: V7m5NxFw7N.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 6 other signatures 2->45 7 V7m5NxFw7N.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 file4 27 C:\Users\user\AppData\Local\...\pXQ38OI.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\dsR6126.exe, PE32 7->29 dropped 14 dsR6126.exe 1 4 7->14         started        18 pXQ38OI.exe 3 7->18         started        process5 dnsIp6 31 C:\Users\user\AppData\Local\...\oPT53Ra.exe, PE32 14->31 dropped 33 C:\Users\user\AppData\Local\...\ndV38PF.exe, PE32 14->33 dropped 61 Antivirus detection for dropped file 14->61 63 Multi AV Scanner detection for dropped file 14->63 65 Machine Learning detection for dropped file 14->65 21 ndV38PF.exe 5 14->21         started        25 oPT53Ra.exe 3 14->25         started        35 176.113.115.17, 4132, 49729 SELECTELRU Russian Federation 18->35 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->69 71 Tries to harvest and steal browser information (history, passwords, etc) 18->71 73 Tries to steal Crypto Currency Wallets 18->73 file7 signatures8 process9 dnsIp10 37 193.233.20.20, 4134, 49712, 49725 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 21->37 47 Detected unpacking (changes PE section rights) 21->47 49 Detected unpacking (overwrites its own PE header) 21->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->51 53 Tries to steal Crypto Currency Wallets 21->53 55 Antivirus detection for dropped file 25->55 57 Machine Learning detection for dropped file 25->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->59 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 16:30:11 UTC
File Type:
PE (Exe)
Extracted files:
84
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrl6tdeb6li7q2uqmk4pousnd5ew2dlr3iweee5vtevg2zkekioa._file
Verdict:
malicious
Similar samples:
10c301f78c4ab9a5b1be09c8abdaa7092a1b6591e1a374d9cbb4c53111b8ffee
RedLineStealer
162e7d9def571babef55901131e9835a8b0442b1a49df29358099e8333464abb
RedLineStealer
3189e5fd5c5ad071968b0966525581bdab5ca86d16af194d9a38452279c60543
RedLineStealer
5df17f53387714d342d63a5946626f3e52be8438ee0701b44c42506f7d003367
RedLineStealer
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
RedLineStealer
bd5e7c52d4dc3be4205620c532d926014d4aceab2dabed28e16553d9d1b3e559
RedLineStealer
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
RedLineStealer
dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0
RedLineStealer
ef35bb50d1328df4526a49ef3e02e2bf2a52629508ad6d767944a614606c36bc
RedLineStealer
fe08452040cf960e4d27560e18d8a8d6148301fb12ffb3024e5b33ff98f807ab
RedLineStealer
+ 5'956 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dubai botnet:kk1n botnet:ronur discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230221-tzs88shd5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.20:4134
176.113.115.17:4132
Unpacked files
SH256 hash:
a37e64077bd649c5e305b9af78656a7022f62473384936d35987e4437305ed4d
MD5 hash:
23e7c0856852a0d79341f1ecc7af2abe
SHA1 hash:
ef445222bdf002335c9730c81830a017c041bb2d
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
SH256 hash:
f88dc6ec75c696175d5f453879f26ad62740e43db27553f023460418224eab20
MD5 hash:
16037d6b6faccb3781fd792c9290ad0c
SHA1 hash:
c05c750fb5286b92219a1848cc6eebaada31da85
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
Parent samples :
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
c4ef1228abcdda75e41654382f23ea8ad5cc63e8dd36d0050da6b75c69b3901a
ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d
e9544006dca36ca79094c4bb17ebcea6d29a040afca043b247feb533a85847f5
2c9c5dbdb68863ae4863c444c9ec8b67968be535fab0808ccef55800370950cb
c43843275c563c3f8e31ee39a2a9ef867959593caa581a73885d0cbb0d61e056
20bd893c6533e002d8b51e41fd1f8b6717e34a10e0691fc41254807b78f77a75
0a12415d4ce544b02e87b14fd12ac08cee2fa00ec80717f466a5c8c03e7d76ca
5a79df7f29187b026397ac74bdbd213ab78568d0e76d86e2af054289cb11626e
001ddf52e1d8097d36db73b7549bf206b749705018bae2668611619002c16343
ba696597b9fff0a8682b340684f4eb8e5c829462009b26517ae28439ae12018c
eed0b3a6fb74e267169fb3e613e39f9d7fd1b815270985e6af6512ceb0e173da
61ab8034851da4259a5549809986cdc2feeb8c93194694162688f55c2f049900
5748216db52452f7a69415930cc592edc60c0db68281b52037030481cda7a067
b679409761837369936d5cfaa45f00dec518396c0b0312d8e26e17b90f5a5a1e
fcb3ef0f67651be98d6540bd62e99d8d4651f6005aacb6266572e8ce94d81387
847f2585cb584ae36ddf98de3cdc381dfb09eab5c7695bb8f86730c880d90ba0
5f20bf1b94928038c0bf919d3babebf2d51646b8644235ed41e5ad87602e39f9
566d25b423d6bf5a65a878989dd5d6b491bbafcc7e41616aa34a94ebb4959484
e4f3f9bd49f357b7002bd4538f5397dd38b57449aeac49a536599f1d26b08b00
f65e55d88f8b2daacada6de651bd66e788faea3d5e6c673aa3f5983f08c82db9
28573d964c471ba36c4bccc510197af2669c1498ce5b041d90a9ff4c5f136aec
51c7cca00712801ade62d62309c2014231c9e447ca76829fb24de1712ee935d0
d7623470361773f0fed6970ecf4fa4ab51d9f6ebc9ecf4828c77b72136c945c4
06c034757f977337ebfd88435f03a269565aa91bcd0c12e3b65fa67be93a08b5
cd8d689bec5ed6c84ed23236955e3f5564df831e49fdcac52af1f403e2edc451
f43a76cb53a00333e88f50badfb24b031882899d0bef5559381b15db8e30c347
f6b542f9c7c64910063aa3b4036d864d61546844290113d1c74f9379ae696f19
a4c5799530c4eeafae0ab85744954cef4f722e1a2d802e49cb8b3cf282779e9c
fca9768e262acf8541edb720f60e487fb1b989cbe9e69691ff5e1c40e8d7b8ff
e3b8d5e7e6748052efb0bd12fa34b3d6b15014b77c2f7292959864f54bb929ff
bb1d01f90184a47e0826add0e346447f7d8a7426797923838fba04d02b6ffd18
fe1401d3b0ca1bf4da5836388c9c39b9e38ab2cff32fbb8e98d0bb54a1530ca3
182546aa1bafd3b66a1c52f9d02f40f370f56dd143afdaab2ad2301e71c11d05
e0f3379ce857f9545591fb5a1c75821b4a119ef33ffbb23239c46d27774acaae
29ee1adbe52473ca1ca2e30672bde86ace7ea2658f6aa10bea16a1a40aef4cc2
318aa920bf04fa3b8d1fc59b10f907747820aec84a79d9ec7cac479302620c88
e63fafc8b79e480a3b2b009f10264cc224bd4de197a768a4bdce7a37373710c3
785755222a312d20469e673184727d6744809e9fadc13ed126a7c8d127f0d6f9
4e3612b8316d3d0bbe70d579f2326ddef2188a4312581d1d18d102376f6bb021
aafea187dce3f09b11d83fd877815b9687772296c1e06b110bcc6c427d7b9a59
da60922aee05f23dd46551ea84697e1b53bf3f4f23ed0e2e9e3852856dcb357e
e3db4b66c4a0e4149b65aaa9742cf525c366affecb66f8e1636dde0acc60706a
2e472c2bd9c0caf6d7137d706396c28b4482e924f9cc66dd34ea68919e28c835
308d9de342b378cfb5d354820bda09c58c8c3ee67b7755c7b60171a220cb137e
4b73fabdffd00b7a6195fa096056d2aee0b92a24fe39a03bc2a05739c12dea96
1ab8530a27e06458681d617de648ccd2e290f8a4c40bbb9dcedef7aaf68f606c
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909
4ff1334aa7a3790f75a40310f5839056e43c130199f761d2a82a84e7d57a1e6d
0b171221d21fe41a94e4e2b098683835d98eb76f5857a79819d2cd2045b1d061
802c163bd044ab5ec2235759ba39d173905de326b2a79051a1e58853a247ba82
126575fa347e9012fd409e1692f132143f869541fc2445819d640fd1e7c60065
990d16c98d18251e2a9c57e517e8f09c187233510276a455202c2f0a2e93db56
SH256 hash:
89df917d12815e8fbcd3c971986bb7a0acce027f6500641a405d1b74d63e9e76
MD5 hash:
9259c0a26b9e36c949da3e4e3b39657e
SHA1 hash:
64134daeacf5410d56669fa465978e46bdb7295f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
Parent samples :
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
9efee2d57d835c791d0d02054f78a246f2a789e279aa586f16819e438fad9c38
ac66dc201f99b597ee2e1927a3e8f1667bdf7705f2c8ac9ada9b04118d3a61f2
bab8a2a0f1ab5cf415fe8230b4c5d9f5b51bde2e60d1c142cb88a78fbdddcf9c
c120e00022d8d427c3bbc86bfb7d1a3da8a04b19df70e971293f22d30238624c
ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d
e9544006dca36ca79094c4bb17ebcea6d29a040afca043b247feb533a85847f5
2c9c5dbdb68863ae4863c444c9ec8b67968be535fab0808ccef55800370950cb
c43843275c563c3f8e31ee39a2a9ef867959593caa581a73885d0cbb0d61e056
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
ca02d7d9ded6d35965b5eae79da178fbb884c9002ae33b342a689ee8842990dc
e5642d5842867e0544eb5cf2d31b8970ad464fe431b40b598b69bb5386b19a1f
33246d2f91d2e22590129f20c87ae87721ef288bbac63ec505a32e8086f9c14b
0a12415d4ce544b02e87b14fd12ac08cee2fa00ec80717f466a5c8c03e7d76ca
cd290df81e4bc1c2d7fa0c3debf353ee844fa5400544b586bef492ee3b6b184b
ba696597b9fff0a8682b340684f4eb8e5c829462009b26517ae28439ae12018c
988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
eed0b3a6fb74e267169fb3e613e39f9d7fd1b815270985e6af6512ceb0e173da
79b3f8aa0e868c6b8c04b02f5bb890631009ddf74ff1e5d574b4303d954bf8b3
ecf7e79f4ad960becfe646b8941da7e96cfb5a04ad34da396e0663d7a65d955b
8f9cdccfaec13234321bf87ac4f9dd97412ff37c67b1abdd852bf72f7af8b155
61ab8034851da4259a5549809986cdc2feeb8c93194694162688f55c2f049900
5748216db52452f7a69415930cc592edc60c0db68281b52037030481cda7a067
0c9302498db90160cff7d95614361c03c0f9ff9fd97cb76a1bb1be2ad7afd54a
7b46906487b2f9f8c8dc7be3a346474072a305ca91373ac2a1fd495f517fc9cd
bc5b6b0e77db4d4509fa67b210f8b7af16a435283749c9d6ba1969f0d32b432c
af76c3d3aef0ac6b1275c440f820e0643419ee24a607443db8aa998091bc1428
b679409761837369936d5cfaa45f00dec518396c0b0312d8e26e17b90f5a5a1e
f6f03a1141e356c5011556d3ab3751f5fb087bfee4984b4b3c2d57581e39f4a0
57de7c5166d015792bbe850a2fef9a000effe869ac681e186c70f6060925e731
7bbe59fdbd5e85422e132c114695cb24d9e2bdebec50e938a6f92cadaeaf7f90
cabf1a144990b86298b896efc2e21f4e783181e9aa998630d4b4f8a08746a802
847f2585cb584ae36ddf98de3cdc381dfb09eab5c7695bb8f86730c880d90ba0
5f20bf1b94928038c0bf919d3babebf2d51646b8644235ed41e5ad87602e39f9
f6f9ba562369237e4c82a10722d7093dea088c5c8eac2506e6bcdf7350a4febd
bb9b0f0b2564e1817399025d209a51878f070a9c0370d341398cf1c4caea59c8
0f316ce3a18b7930b2098f26db8be64ee8b31b36b49bada7ab15943cf7dbd882
6601377a6452b4ebd504d0bd07b82319874950b94f471a52ea3198202a856655
566d25b423d6bf5a65a878989dd5d6b491bbafcc7e41616aa34a94ebb4959484
7db9ce537abb3082009a20dd309807fb2422ab3397ed6b48c1e57302ef48837e
e4f3f9bd49f357b7002bd4538f5397dd38b57449aeac49a536599f1d26b08b00
5ddabb6c8573a0f1953ea77bce93fd5eaafc47b87c8c081cc1ef1c2a2b26f6b5
f65e55d88f8b2daacada6de651bd66e788faea3d5e6c673aa3f5983f08c82db9
28573d964c471ba36c4bccc510197af2669c1498ce5b041d90a9ff4c5f136aec
51c7cca00712801ade62d62309c2014231c9e447ca76829fb24de1712ee935d0
d7623470361773f0fed6970ecf4fa4ab51d9f6ebc9ecf4828c77b72136c945c4
955e4add7fef760292d37853c801d3682f01b3db7dad1fe2eebddb3d6c80d8d0
06c034757f977337ebfd88435f03a269565aa91bcd0c12e3b65fa67be93a08b5
cd8d689bec5ed6c84ed23236955e3f5564df831e49fdcac52af1f403e2edc451
65b02fce0684db534cf8d2875a40ff756d7c7b8a9914154b5e9d274068150f6a
f6b542f9c7c64910063aa3b4036d864d61546844290113d1c74f9379ae696f19
c3d4a3ed8d9548266be03aaa4e4cdd0ac00426289f147f47281c5dc7c646dd9c
4bfb921c92892a88aac869a408968a660b2f99c9f5045b77ba109c30bab2de5c
9c91566fa2ee262269c37974f59cfea87632da804e48af1a53977395a9199ead
fca9768e262acf8541edb720f60e487fb1b989cbe9e69691ff5e1c40e8d7b8ff
e3b8d5e7e6748052efb0bd12fa34b3d6b15014b77c2f7292959864f54bb929ff
fe1401d3b0ca1bf4da5836388c9c39b9e38ab2cff32fbb8e98d0bb54a1530ca3
4eb6daeb4425e9babe68b3e22510096ce80773198a67bf1e4518359e3a85154c
e035c6f0110b8fe9ced16e8edbd57b14ef21773f1ff7b6f047f8b4b355892bef
182546aa1bafd3b66a1c52f9d02f40f370f56dd143afdaab2ad2301e71c11d05
825873e0a5d8d2de1f493a046f4334e8dfa846975cdfc6ae41154cf63891c7ee
29ee1adbe52473ca1ca2e30672bde86ace7ea2658f6aa10bea16a1a40aef4cc2
318aa920bf04fa3b8d1fc59b10f907747820aec84a79d9ec7cac479302620c88
785755222a312d20469e673184727d6744809e9fadc13ed126a7c8d127f0d6f9
2bbe4647c6e089301d77919055997822a0a99de760d36b198a49ff17c6c6b839
56bbd3be92881af5ce1ad036c072403a275543793b5645a3026787dab0c68b19
08fdd7a5dfca7199af1ce03436a876b725522f3afdd1fbcd1bb4d1be527efb62
aafea187dce3f09b11d83fd877815b9687772296c1e06b110bcc6c427d7b9a59
da60922aee05f23dd46551ea84697e1b53bf3f4f23ed0e2e9e3852856dcb357e
e3db4b66c4a0e4149b65aaa9742cf525c366affecb66f8e1636dde0acc60706a
37a481250fba32a58cb9edce695ca8e79871bce31048b139bb5562e7bc5d6263
2e472c2bd9c0caf6d7137d706396c28b4482e924f9cc66dd34ea68919e28c835
308d9de342b378cfb5d354820bda09c58c8c3ee67b7755c7b60171a220cb137e
4b73fabdffd00b7a6195fa096056d2aee0b92a24fe39a03bc2a05739c12dea96
1ab8530a27e06458681d617de648ccd2e290f8a4c40bbb9dcedef7aaf68f606c
9f54831799b2eec632023227a3878eac82f28d2458b16bbd03d447e5bdb08ecd
3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909
67c35635a2bde7ab0b4e1c3d31c032ea9b1635fb942f3870cdb6b94db7510c2c
4ff1334aa7a3790f75a40310f5839056e43c130199f761d2a82a84e7d57a1e6d
adb452d5dfe248e6e2b12103bd57daaf2749aab3d6a75f53068d4e96b0dcf747
b0627436faa99e47e4bb04f588fd047986147887a03c25a92cbd2348e0fba4cb
d4f0b5cb717636ae26e08e9c2249ec6b888372effdf8fb0eabaacb77edfd0102
b1c87ef62fa53f053801cb96a105fa1e3164f11b110babe210864181b3620614
802c163bd044ab5ec2235759ba39d173905de326b2a79051a1e58853a247ba82
75fe3828ff3ab874cb754dc3d5852ad90944f8c05bfd7226652872d391e0613f
668f014732e2576d67a6cf8a6949ea2ab634c8d2b15997684abf99a8991e3ac6
126575fa347e9012fd409e1692f132143f869541fc2445819d640fd1e7c60065
879f2f1584ebdadaca8f645280dca1b17b03a40f587b8de875e1f86b451fd3ed
80d6758fc3e6a83608bc60dfe1693e9d24cd3207df0722d58209e14c2685aa22
8ac2d28d9473cf364e5f675734c5e86510a343e2e685aefe8ff0c4060ca11f3c
990d16c98d18251e2a9c57e517e8f09c187233510276a455202c2f0a2e93db56
SH256 hash:
52c5afb83154ee9101fccfec88f726b0fd7f24a82652753e885c4fe4a61119c3
MD5 hash:
55b75737301385286e6325c457888c3a
SHA1 hash:
cd82b33c7bfedded6352aff0fe033f2b0c6ef8f4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
Parent samples :
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
cd290df81e4bc1c2d7fa0c3debf353ee844fa5400544b586bef492ee3b6b184b
SH256 hash:
23cec5aa2db1c16cdf06f18359f2424521cd31c85357a52018d33d20df0bc1b5
MD5 hash:
650e6d659d17f1e4a49abfc03d6a3cf0
SHA1 hash:
9e6eb79055cb899d00aa7b1e0a1c1a6010e1dde5
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
SH256 hash:
7e48d62ca34a7ea7a3c8ddcac440c43d515b59e0002470dece3f3a8f690a751a
MD5 hash:
0e05d4f02b59d04e3583e12602392bcd
SHA1 hash:
ddbf0da584e2a6477f330b2789fbfc6a98933a18
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
Parent samples :
cdeba0eba80bbae86bb235e1c629c707127654097fd1624ba6f21da81e557a33
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
e9544006dca36ca79094c4bb17ebcea6d29a040afca043b247feb533a85847f5
96367578de9eea233fe132d6ec683bf0df1929d30d4570c59fd409822d7a9421
0a12415d4ce544b02e87b14fd12ac08cee2fa00ec80717f466a5c8c03e7d76ca
cd290df81e4bc1c2d7fa0c3debf353ee844fa5400544b586bef492ee3b6b184b
0c9302498db90160cff7d95614361c03c0f9ff9fd97cb76a1bb1be2ad7afd54a
6601377a6452b4ebd504d0bd07b82319874950b94f471a52ea3198202a856655
5ddabb6c8573a0f1953ea77bce93fd5eaafc47b87c8c081cc1ef1c2a2b26f6b5
cd8d689bec5ed6c84ed23236955e3f5564df831e49fdcac52af1f403e2edc451
SH256 hash:
c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c
MD5 hash:
6043571a63d5cfceed629f40eb18a183
SHA1 hash:
89b184338bc0880d28bc32860fa278d8d87b3901
Link:
https://www.unpac.me/results/1677337b-1ecb-4b7f-977d-4b8c8cefac34/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c457e98c81f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c457e98c81f2d1f86a9062b8f7524d1f496d0d71da2c4213b5992a6d6544521c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368705/

Comments


Avatar
zbet commented on 2023-02-21 16:29:32 UTC

url : hxxp://193.233.20.18/sokr/egor.exe