MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41
SHA3-384 hash: e20207f1109ef94dd1c5f2568769372d577890152c901de652644ba6b6d2642e80b3bf7647892831f284e58feb4d1806
SHA1 hash: 9d68a17910c7081073730e260fb33f59e3775eaa
MD5 hash: 6431189d77445b500e483a2e28433266
humanhash: charlie-florida-asparagus-beer
File name:6431189d77445b500e483a2e28433266.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:813'568 bytes
First seen:2023-02-11 09:04:55 UTC
Last seen:2023-02-11 11:01:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e80af93b195fb557b35f70c8d199fe4 (1 x RedLineStealer)
ssdeep 12288:LY/QkRJLqmUQTA/xvohGs7DnB0xJtjSlzM9IZjpC5TqfqAn/0BtwNLjXs:LYxvNUQaxghrdzMKtChK9L
Threatray 18'635 similar samples on MalwareBazaar
TLSH T19C05AE44B7CF90B2E565103A4D79AB311D3A6C360B328DF75BC03AB869349D86E361B9
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
fba46e37c4e7828a224115a11228f1e0.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 13:01:04 UTC
Tags:
trojan amadey rat redline loader evasion
Link:
https://app.any.run/tasks/7b96da6c-492e-49fd-800a-9829d620a607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363868/
Detection(s):
SecuriteInfo.com.Variant.Lazy.293404.31217.7184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68042/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed redline
Link:
https://www.filescan.io/uploads/63e75a3fae0d2eea07d4c6a1/reports/e9a05496-c3df-4315-9e4f-ae932e44b261/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f33fcf25-7a2b-4785-b56d-42102272cbe4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1171887
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2023-02-09 12:12:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 39 (41.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qgsx6u7zp4yb53m4iskwybx5pjlbaolkgh2mw4oechyjpavlzaq._file
Verdict:
malicious
Similar samples:
054ad54b518b945af94ccaf0fbb7f2fe57fbaffd43d7eeb903f21b90116b9795
RedLineStealer
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
RedLineStealer
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
RedLineStealer
5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705
RedLineStealer
56b562549a0d8ec2470960f23d990fda4c60df54556c9751bb11ff3945fb3be6
RedLineStealer
579532a04b63aac5992010d56fa6cc982855b194d9782f5cfff3b063192a94d0
RedLineStealer
b973d20f7964f71bb99241b1b25c6161dfc7d2fb2c03ff30f1a1f18c415861b1
RedLineStealer
c1caac58e614931c517666747eec84548ca762fff9744c47ed6cfe162c511331
RedLineStealer
dc6226d88472e78b79c967c3d151400f1b6e69d7618efd430b64d35b2e20df2e
RedLineStealer
+ 18'625 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:barebuxipaxnut infostealer persistence
Link:
https://tria.ge/reports/230211-k16fhsbh8z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
65.109.187.41:3042
Unpacked files
SH256 hash:
d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41
MD5 hash:
6431189d77445b500e483a2e28433266
SHA1 hash:
9d68a17910c7081073730e260fb33f59e3775eaa
Link:
https://www.unpac.me/results/dfbacac6-24ff-4897-accb-f815be88a63a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/363868/
  
URLhaus
https://urlhaus.abuse.ch/url/2536818/
  
Delivery method
Distributed via web download

Comments