MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0
SHA3-384 hash:	4a6f61564106a55f736f2ac27957e2809f22a1b644a0a3f36758dcab8ead4127ca0373c97a5dc60d66594094b7589131
SHA1 hash:	7743f3e9ac2f7cb50804bc9242260f0034dcc886
MD5 hash:	578806cb25a3a08cd45c057bb6dad5f2
humanhash:	texas-beer-fanta-juliet
File name:	pdf(1).exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	10'603'008 bytes
First seen:	2023-12-14 12:33:44 UTC
Last seen:	2023-12-14 14:21:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	196608:a7S2pYPcpQfWG2v/iX2DOn5Py0B9XUmRV3YltCzn7ajPYqreTW8:a7S226G2ieCB9BHpL7cPY9Tr
TLSH	T156B633A8BB54CDB8DDE428398833B72869229D1A0DD2C7466D0C76B45E353CC3B7B167
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2daecf0d8ccc8d1 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	bookinggoogledrive exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://89.23.98.92/file2/pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-12-14 12:45:06 UTC

Tags:

loader stealer redline

Link:

https://app.any.run/tasks/5cdbb7d0-f78e-4ec9-8675-0a7c00cce737

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467455/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.27114.661.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm obfuscated packed packed smartassembly

Link:

https://www.filescan.io/uploads/657af64318cffa73b1e55636/reports/d88ed8bd-cd5c-44ac-8c0c-20077a6a47e7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75863f85-1a01-41fe-88d9-d46e7a9482b4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1362110

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-12-14 12:31:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfer6xvsqlnpnnjw6uk4zhqqgkxwfem6oj2efrhh5s6kf2oy7cya._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/231214-prrm8adegp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

427d3c8ba812127e7aee266e0046d2f473c292b6ce6cfbf0909f4690fecfcbdf

MD5 hash:

e38e9e0e7097fc552378f6df62750e0f

SHA1 hash:

8c855afb16a7ff68f6494ab6c5cf8b05723405de

Detections:

redline

Link:

https://www.unpac.me/results/5091c196-dd41-475e-8284-5ffade762f8b/

SH256 hash:

fd9d76e47f1d38c5cbf6af9ab0bd8645a45dffda6c35757d7dd69ffd6f4944b9

MD5 hash:

035addadfdae06575ed8ea373d4884b5

SHA1 hash:

03a761fa849d9519b979f755805c03d4a6af9443

Link:

https://www.unpac.me/results/5091c196-dd41-475e-8284-5ffade762f8b/

SH256 hash:

c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

MD5 hash:

578806cb25a3a08cd45c057bb6dad5f2

SHA1 hash:

7743f3e9ac2f7cb50804bc9242260f0034dcc886

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/5091c196-dd41-475e-8284-5ffade762f8b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c9491f5eb282/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

(this sample)

Cape

https://www.capesandbox.com/analysis/467455/

URLhaus

https://urlhaus.abuse.ch/url/2740545/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample