MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d
SHA3-384 hash: fd3a4ea8c68a05baa7243b0cf8d9f1328c93825c96612ff85bca05f4e396a835c7bcbe53d1cfe64d8f167f6101c4ba29
SHA1 hash: 6f1483a40fa0d9ae091971fa2a80fd5fc200fd26
MD5 hash: e405c8100d6249b51115209ee568cf4e
humanhash: tango-batman-eleven-wolfram
File name:e405c8100d6249b51115209ee568cf4e.bin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:242'560 bytes
First seen:2024-02-15 11:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f494e9bb2753c3b395b9806eb5f3c320 (4 x RedLineStealer, 3 x LummaStealer)
ssdeep 6144:Tg3Vo6e2MOUFD2wZv0S5w3Cu/boya9Ca9T:8lo6ejD2AsS5w3CIa9Ca9T
Threatray 70 similar samples on MalwareBazaar
TLSH T16A349D02B8E14B25DFA0363017A5DC5956D6BA301E1199E3EF74070EAAF1280DE6F7BD
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.252.176.25:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-15 17:02:23 UTC
Tags:
opendir stealer raccoon recordbreaker meta metastealer loader hausbomber rhadamanthys cobaltstrike azorult agenttesla phorpiex trojan
Link:
https://app.any.run/tasks/8530fe29-0bae-4039-8017-d203dc91f751

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476326/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/65cdf14d721c476da6b3b8f2/reports/ea14efdc-0373-4522-9dde-46ec8ae1b226/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e97e23a2-378e-4a55-b23d-3ac89725da47
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1392816
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-02-15 11:11:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z35b3itt5bzlwdat5xrcksmh5e5yilbcmvbtjhwyery4w5smragq._file
Verdict:
malicious
Similar samples:
4d8bcd6de5da1e7875d2054dbd3852424b11abad68aee29c03b46ca2408626b1
RedLineStealer
59d5792a686cdc71cb691185b0abb22ffbe40e2c79db2367f3917df2afeb4655
RedLineStealer
6aaf7768525102f1d8f6418756663c78898e0b701222a196636dfe3d9fb23c62
RedLineStealer
ba2e9c9f33c7d6462eb951c0aafdaa5419e588cbf141211e2fa93b741bebbb44
RedLineStealer
ca0eb0fc3b97aca8601de95ca56fd06f565a63f7fabc508bf7f9deac8d58ef18
RedLineStealer
cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d
RedLineStealer
d2df430d281ad78bc0690d63df9896fe195e2df53f2e9182c6f459094f70aa45
RedLineStealer
+ 60 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:511756097 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240215-m99kmsfe76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
https://pastebin.com/raw/NgsUAPya
Unpacked files
SH256 hash:
93e71d624656307338ab9681397e257317ff5916ba1a2ae9d2cd8aa4cb864126
MD5 hash:
2a393bd2db9f7ee7deaacd6ea0a7f53c
SHA1 hash:
d817c55811e24e4ca12145a869da60c8e4e1cda5
Detections:
redline
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/e795d826-5dee-4b8c-911b-f62ccdf822af/
SH256 hash:
cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d
MD5 hash:
e405c8100d6249b51115209ee568cf4e
SHA1 hash:
6f1483a40fa0d9ae091971fa2a80fd5fc200fd26
Link:
https://www.unpac.me/results/e795d826-5dee-4b8c-911b-f62ccdf822af/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cefa1da273e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_b1f6f662
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cefa1da273e872bb0c13ede2254987e93b842c226543349ed82471cb764c880d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/476326/
  
URLhaus
https://urlhaus.abuse.ch/url/2761698/
  
Delivery method
Distributed via web download

Comments