MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
SHA3-384 hash: 2066e3193c0a1904a9ca4af31c4a066c5f50bccb9952ddabb9ba25f19c59da847035d6e94157ab6ef6138c9eb7f6cea8
SHA1 hash: 77d6e28e523c8f0b903ae380e976f0e501968e4f
MD5 hash: 2028eca34628b965963ec8594d98e63c
humanhash: east-three-undress-high
File name:2028eca34628b965963ec8594d98e63c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'864 bytes
First seen:2023-07-24 08:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 795d5374158688612616ccbdb5ba25ba (8 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:94WsavGX4G5OzUt14OfBzNd4M+lpzGzNmCbufF97:iWsys4G5pt1DNd4r1aNmKufF
Threatray 185 similar samples on MalwareBazaar
TLSH T11974E02232E0C072E5B746301970C6A56E7FBC72A77991CB33942A7E5E613C1AF75362
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0ddc8d0c8d2dd (2 x Stealc, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
149.202.8.114:26642

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2028eca34628b965963ec8594d98e63c.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 08:41:46 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/acccfe1a-2362-4633-a98f-222a61448ce2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430615/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9677.23957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5711140a-174e-4f60-bfe0-1fb2ba3fb944
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278147
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 08:41:08 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=24uslhnciaq32kxj567xvgkr7274ftqp7wuselbhydriywizq4jq._file
Verdict:
malicious
Similar samples:
0053d1419ec04041f1603063f4e7c0a6a370025de08a0bb69897cd6c757f1bb0
RedLineStealer
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
RedLineStealer
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
RedLineStealer
0c5d1c2c1f5bcb910d25419e87349bce28055b67de3ef6bd1e511a6b17290fce
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962
RedLineStealer
8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0
RedLineStealer
bd91c778c4c5c9666667f5a829f288c648f7161f7c9f991adbe08d35fb55fe3e
RedLineStealer
f5b0e044b296d2bae224086db794d1c73732e40d5fc6e0602287bef03c844e38
RedLineStealer
+ 175 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230724-klfasaca56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
149.202.8.114:26642
Unpacked files
SH256 hash:
1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e
MD5 hash:
5b9e910f14c9664c591d075ccfdda0c3
SHA1 hash:
dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7e8a6f78-d736-4c7f-96b6-91be54e2b653/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977
MD5 hash:
1170152a8e1dc3e4b9c38d8146362e81
SHA1 hash:
d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7e8a6f78-d736-4c7f-96b6-91be54e2b653/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e
MD5 hash:
b9ac7ada76639bf533b86fc0ae86597c
SHA1 hash:
74ce4a5df518a85c44d5d51fd3213fd6da36940d
Link:
https://www.unpac.me/results/7e8a6f78-d736-4c7f-96b6-91be54e2b653/
SH256 hash:
ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9
MD5 hash:
3c81ebdb4f2dc1f98485343dfeaedce5
SHA1 hash:
0ce97f6e8d3cdac8b68329d57b4d16873d6ed167
Link:
https://www.unpac.me/results/7e8a6f78-d736-4c7f-96b6-91be54e2b653/
SH256 hash:
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
MD5 hash:
2028eca34628b965963ec8594d98e63c
SHA1 hash:
77d6e28e523c8f0b903ae380e976f0e501968e4f
Link:
https://www.unpac.me/results/7e8a6f78-d736-4c7f-96b6-91be54e2b653/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d729259da240/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/430615/

Comments