MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
SHA3-384 hash: 19494c221d7c2e529439081d78ad76cb849d772cd153a8a7344a8edd581bf082b4390fe5b08c63d8cb10dc86fc74f81c
SHA1 hash: 39599ad3c88c465385747932ea69122a9f97aa91
MD5 hash: c186adbf9fe8695646e486edd4482412
humanhash: wisconsin-crazy-oklahoma-coffee
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:343'552 bytes
First seen:2023-08-12 08:22:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57c957ecde7ffcaeaa065ed04df47092 (8 x RedLineStealer, 1 x TeamBot, 1 x Rhadamanthys)
ssdeep 6144:Q0gi+LlmkVA506gvj1c81Kh/jky1VRMkRi:QJj8kVA506a5chrkOVRMn
Threatray 555 similar samples on MalwareBazaar
TLSH T1B474F1213AA2D072CB4B41345934DBA1AE7FB539277986A737680B7F4D702D19FA230D
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0800040808480000 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.233:3002/file.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-12 08:26:44 UTC
Tags:
redline
Link:
https://app.any.run/tasks/6b2e67e7-b8e9-43e3-864f-524cd20bdce6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442336/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102651/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64d74167a5c3e653be17f512/reports/f9bc400f-47c7-4277-9475-910cab0066d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/259dbf48-1802-49f2-a4c3-d6750c98d5d3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1290442
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-12 08:23:05 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qzdect54cureewxfmel4sf2q4y2acztnutxon36kyzl2f7ojizq._file
Verdict:
malicious
Similar samples:
279155f5ae5904f994db343dc511d83fcccf64a0a964f5564e8c04ccd209cdf2
RedLineStealer
4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
RedLineStealer
87c9b723dac804469ebc6e59f5a3d9b141dd02fe2315a417e51490325b0a54a0
RedLineStealer
a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
RedLineStealer
bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789
RedLineStealer
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
RedLineStealer
e3dc9fb2eb85704dfcf401f7fd838fd2149667fa2573c608aa933ed85036faf4
RedLineStealer
e7f7aba3aa560f0e301fb6d8451914efd3c86c88be4cd1f8a8eb994d58ceb3c5
RedLineStealer
f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787
RedLineStealer
f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8601e619b670c78673bb
RedLineStealer
+ 545 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer
Link:
https://tria.ge/reports/230812-j95pxach6x/
Behaviour
RedLine
Malware Config
C2 Extraction:
209.250.242.222:27532
Unpacked files
SH256 hash:
92499ca80679872ad84030af76f546e8b0363c3f8b2be60d6684fda828fd0abb
MD5 hash:
a24696f7ae363735a9729062992fd5f0
SHA1 hash:
d9560032203ef35aa9bb6e3435d349314dcf24d2
Link:
https://www.unpac.me/results/005cb549-facc-44c8-8232-1cfab4b23b12/
SH256 hash:
cf3144f0662f292e7fdb64ff5ecd3feba44074dccc8ade6b06d07cda7db3a75d
MD5 hash:
5b3e517caba49231bac955de65fe3f28
SHA1 hash:
bfa4267104d1c896b5bdfe74d6a20d227c3f0661
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/005cb549-facc-44c8-8232-1cfab4b23b12/
Parent samples :
d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404
SH256 hash:
18aae0324a0f204814fa06f313755162f0cee841c407cb242610c17a1b782ffb
MD5 hash:
7446efe258da00622a5bf7f7b8a9a88f
SHA1 hash:
b6def6395d3a23c790d919264b795183b0581072
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/005cb549-facc-44c8-8232-1cfab4b23b12/
Parent samples :
d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404
SH256 hash:
de0775600ed3f00d727db0f630036ce1db4063cb1db28771462e2e6b80c532db
MD5 hash:
af9634e7674ec78c37ded0378b1d24dd
SHA1 hash:
5257325ea7f3818313200826f22f28c526ee8d26
Link:
https://www.unpac.me/results/005cb549-facc-44c8-8232-1cfab4b23b12/
SH256 hash:
d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
MD5 hash:
c186adbf9fe8695646e486edd4482412
SHA1 hash:
39599ad3c88c465385747932ea69122a9f97aa91
Link:
https://www.unpac.me/results/005cb549-facc-44c8-8232-1cfab4b23b12/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d432320a7de0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/442336/

Comments