MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d48b986d716fe5388a53ae46e743038128f9b0b79213467314fcc76715725ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d48b986d716fe5388a53ae46e743038128f9b0b79213467314fcc76715725ac3
SHA3-384 hash: 8b6eed358c4fe04ef094715ccfc14a9eb126820f4947a4dcf409567377e4a309ae791fab9e3cb2c040acd2f864594ed5
SHA1 hash: 7d307870b86f1f5c08aec8c27ad0e050e4ff5453
MD5 hash: 9d00d27f2e702b0f3da188a75f58f926
humanhash: jersey-blossom-illinois-queen
File name:9d00d27f2e702b0f3da188a75f58f926.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:24'468'107 bytes
First seen:2023-04-10 10:39:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ee3b0da38e7b7c567f93f357ca3751c (2 x RedLineStealer, 2 x RaccoonStealer, 1 x QuasarRAT)
ssdeep 393216:7veof0dnrYnk2+S2dU0I+tgonnIwoJnmhfekEotYbiegODTjLw8ZpNdLkRfHBiZq:7+nr2KjtgC6UBdE75TjL3ARs3o
Threatray 56 similar samples on MalwareBazaar
TLSH T1273712E3324AC526D56E0570262D8BBE512B7E6D0BF344C763DB6D6E07B08CE5231E26
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6a8ccccc8c8ccc2b (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d00d27f2e702b0f3da188a75f58f926.exe
Verdict:
Malicious activity
Analysis date:
2023-04-10 10:41:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d80b1ada-9386-421a-a8a7-f3afc7e2c48f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.15334.12890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77211/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fingerprint greyware msiexec.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6433e785c064c538e1b33084/reports/235674c1-fc5b-4e81-a794-c6eb47cb4a14/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d48b986d716fe5388a53ae46e743038128f9b0b79213467314fcc76715725ac3
Result
Verdict:
MALICIOUS
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211043
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs Task Scheduler Managed Wrapper
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843959 Sample: vCs26X3S95.exe Startdate: 10/04/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 11 other signatures 2->88 9 msiexec.exe 152 135 2->9         started        13 vCs26X3S95.exe 58 2->13         started        15 Windows11Manager.exe 2->15         started        process3 file4 54 C:\Windows\Installer\MSI6C6.tmp, PE32 9->54 dropped 56 C:\Windows\Installer\MSI639.tmp, PE32 9->56 dropped 58 C:\Windows\Installer\MSI53E.tmp, PE32 9->58 dropped 66 59 other files (4 malicious) 9->66 dropped 106 Installs Task Scheduler Managed Wrapper 9->106 108 Drops PE files with a suspicious file extension 9->108 17 Activation.pif 15 4 9->17         started        21 msiexec.exe 9->21         started        23 msiexec.exe 9->23         started        60 C:\Users\user\AppData\Local\...\shiBB15.tmp, PE32+ 13->60 dropped 62 C:\Users\user\AppData\Local\...\MSICCFB.tmp, PE32 13->62 dropped 64 C:\Users\user\AppData\Local\...\MSICC00.tmp, PE32 13->64 dropped 68 8 other files (none is malicious) 13->68 dropped 25 vCs26X3S95.exe 6 13->25         started        28 Windows11Manager.exe 15->28         started        30 Windows11Manager.exe 15->30         started        signatures5 process6 dnsIp7 76 api.telegram.org 149.154.167.220, 443, 49700 TELEGRAMRU United Kingdom 17->76 90 Multi AV Scanner detection for dropped file 17->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->92 94 Writes to foreign memory regions 17->94 96 Injects a PE file into a foreign processes 17->96 32 RegAsm.exe 17->32         started        36 cmd.exe 17->36         started        70 C:\Users\user\AppData\Local\Temp\shiD9.tmp, PE32+ 25->70 dropped file8 signatures9 process10 dnsIp11 72 utorrent-server-api.cc 85.217.144.162, 49701, 80 WS171-ASRU Bulgaria 32->72 74 95.214.24.244, 49702, 80 CMCSUS Germany 32->74 52 C:\Users\user\AppData\...\WindowsServices.exe, PE32 32->52 dropped 38 WindowsServices.exe 32->38         started        41 conhost.exe 32->41         started        43 conhost.exe 36->43         started        45 timeout.exe 36->45         started        file12 process13 signatures14 98 Multi AV Scanner detection for dropped file 38->98 100 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->100 102 Writes to foreign memory regions 38->102 104 Injects a PE file into a foreign processes 38->104 47 InstallUtil.exe 38->47         started        50 InstallUtil.exe 38->50         started        process15 dnsIp16 78 amrican-sport-live-stream.cc 193.142.146.212, 4581, 49704 HOSTSLICK-GERMANYNL Netherlands 47->78 80 192.168.2.1 unknown unknown 47->80
Gathering data
Threat name:
Win32.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 05:13:36 UTC
File Type:
PE (Exe)
Extracted files:
3192
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sfzq3lrn7strcstvzdooqydqeuptmfxsijum4yu7tdwoflsllbq._file
Verdict:
malicious
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
RedLineStealer
0ec8d01e78f2157589701925ec97ada690046fa17ca65a0db766d96533529aab
RedLineStealer
0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507
RedLineStealer
29d5119f820b68d9e231a4812290395628313ff03a4c04b72190a7fb39b260c4
RedLineStealer
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
RedLineStealer
d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622
RedLineStealer
d82b69c1b464213cb75866f3b9a01f23df9bd968eb1c8e88fbf54f9749d01047
RedLineStealer
e6519b812c285d6ad48df92a70e235a28ee05d7c87e3b6dd8d4f1a29a9b77856
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
RedLineStealer
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230410-mqh9caae6x/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d48b986d716f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d48b986d716fe5388a53ae46e743038128f9b0b79213467314fcc76715725ac3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments