MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
SHA3-384 hash: e2d52886321c36a686b8a2ba4cd2467902ed752c6578eb131fbc40fd192ce8c3a419dc25e2fb7e07b559329f1fe3fdfb
SHA1 hash: 8b400c226664793d21762f99839157beec32a80c
MD5 hash: a48ee65d27f3825af413145372e61b45
humanhash: sink-social-floor-paris
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'802'240 bytes
First seen:2023-10-24 14:48:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:MyqABezZapQPiP1SfGTui2wSu5kRz9WV7YsRPv97qhV0TeK0ZTf2d3q7V5bcC6m0:7PXpC3fauQDKRz9GBRX9jyK0Qd3AVK
TLSH T19E852352A9F5C9B3F9B977B048B2178706397CB11C34531A629BE8439AB37C9703172B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://109.107.182.2/race/bus50.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-24 16:33:09 UTC
Tags:
stealc stealer redline amadey botnet trojan loader smoke sinkhole opendir
Link:
https://app.any.run/tasks/4cc7d91c-3a5e-4325-9417-e5dffa87acf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456013/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Creating a window
Launching cmd.exe command interpreter
Running batch commands
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6537d9604678fc28dfc8ab2f/reports/abba6fd9-5c36-4bd2-a847-3882fc5503d1/overview
Verdict:
Malicious
Labled as:
TR/Dldr.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35086436-33c3-470a-a7d9-f6ba9c279d54
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331352
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331352 Sample: file.exe Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 166 youtube-ui.l.google.com 2->166 168 www3.l.google.com 2->168 170 12 other IPs or domains 2->170 186 Found malware configuration 2->186 188 Malicious sample detected (through community Yara rule) 2->188 190 Antivirus detection for URL or domain 2->190 192 20 other signatures 2->192 15 file.exe 1 4 2->15         started        18 explothe.exe 2->18         started        signatures3 process4 file5 160 C:\Users\user\AppData\Local\...160a1DW14.exe, PE32 15->160 dropped 162 C:\Users\user\AppData\Local\...\7yb9gU80.exe, PE32 15->162 dropped 20 Na1DW14.exe 1 4 15->20         started        process6 file7 118 C:\Users\user\AppData\Local\...\Yj3yx03.exe, PE32 20->118 dropped 120 C:\Users\user\AppData\Local\...\6EY9Dh8.exe, PE32 20->120 dropped 198 Antivirus detection for dropped file 20->198 200 Machine Learning detection for dropped file 20->200 24 Yj3yx03.exe 1 4 20->24         started        28 6EY9Dh8.exe 20->28         started        signatures8 process9 file10 134 C:\Users\user\AppData\Local\...\Lq3Qx01.exe, PE32 24->134 dropped 136 C:\Users\user\AppData\Local\...\5xu9yu0.exe, PE32 24->136 dropped 236 Antivirus detection for dropped file 24->236 238 Machine Learning detection for dropped file 24->238 30 Lq3Qx01.exe 1 4 24->30         started        34 5xu9yu0.exe 24->34         started        240 Writes to foreign memory regions 28->240 242 Allocates memory in foreign processes 28->242 244 Injects a PE file into a foreign processes 28->244 36 AppLaunch.exe 28->36         started        38 AppLaunch.exe 28->38         started        40 AppLaunch.exe 28->40         started        signatures11 process12 file13 150 C:\Users\user\AppData\Local\...\SI9IV56.exe, PE32 30->150 dropped 152 C:\Users\user\AppData\Local\...\4JG711zB.exe, PE32 30->152 dropped 262 Antivirus detection for dropped file 30->262 264 Machine Learning detection for dropped file 30->264 42 SI9IV56.exe 1 4 30->42         started        46 4JG711zB.exe 30->46         started        154 C:\Users\user\AppData\Local\...\explothe.exe, PE32 34->154 dropped 48 explothe.exe 34->48         started        51 Conhost.exe 36->51         started        signatures14 process15 dnsIp16 142 C:\Users\user\AppData\Local\...\AF4QA06.exe, PE32 42->142 dropped 144 C:\Users\user\AppData\Local\...\3Ll74Vl.exe, PE32 42->144 dropped 246 Antivirus detection for dropped file 42->246 248 Machine Learning detection for dropped file 42->248 53 3Ll74Vl.exe 42->53         started        56 AF4QA06.exe 1 4 42->56         started        250 Multi AV Scanner detection for dropped file 46->250 252 Writes to foreign memory regions 46->252 254 Allocates memory in foreign processes 46->254 256 Injects a PE file into a foreign processes 46->256 59 AppLaunch.exe 46->59         started        164 77.91.124.1, 49715, 49716, 49717 ECOTEL-ASRU Russian Federation 48->164 146 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 48->146 dropped 148 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 48->148 dropped 258 Creates an undocumented autostart registry key 48->258 260 Uses schtasks.exe or at.exe to add and modify task schedules 48->260 62 cmd.exe 48->62         started        64 schtasks.exe 48->64         started        66 rundll32.exe 48->66         started        file17 signatures18 process19 dnsIp20 202 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 53->202 204 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->204 206 Maps a DLL or memory area into another process 53->206 208 2 other signatures 53->208 68 explorer.exe 67 30 53->68 injected 138 C:\Users\user\AppData\Local\...\2yY2942.exe, PE32 56->138 dropped 140 C:\Users\user\AppData\Local\...\1Kf26BM0.exe, PE32 56->140 dropped 73 1Kf26BM0.exe 56->73         started        75 2yY2942.exe 12 56->75         started        184 77.91.124.86, 19084, 49714, 49767 ECOTEL-ASRU Russian Federation 59->184 77 conhost.exe 62->77         started        79 cmd.exe 62->79         started        81 cacls.exe 62->81         started        85 4 other processes 62->85 83 conhost.exe 64->83         started        file21 signatures22 process23 dnsIp24 172 5.42.65.80, 49829, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 68->172 174 77.91.68.249, 49753, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 68->174 178 4 other IPs or domains 68->178 122 C:\Users\user\AppData\Local\Temp\F73.exe, PE32+ 68->122 dropped 124 C:\Users\user\AppData\Local\Temp\F1C8.exe, PE32 68->124 dropped 126 C:\Users\user\AppData\Local\Temp\BED0.exe, PE32+ 68->126 dropped 128 8 other malicious files 68->128 dropped 210 System process connects to network (likely due to code injection or exploit) 68->210 212 Benign windows process drops PE files 68->212 87 1D57.exe 68->87         started        91 215F.exe 68->91         started        93 cmd.exe 68->93         started        97 2 other processes 68->97 214 Multi AV Scanner detection for dropped file 73->214 216 Contains functionality to inject code into remote processes 73->216 218 Writes to foreign memory regions 73->218 220 2 other signatures 73->220 95 AppLaunch.exe 9 1 73->95         started        176 193.233.255.73, 49713, 49719, 49751 FREE-NET-ASFREEnetEU Russian Federation 75->176 file25 signatures26 process27 file28 130 C:\Users\user\AppData\Local\...\VD8da5lH.exe, PE32 87->130 dropped 132 C:\Users\user\AppData\Local\...\6DP72QX.exe, PE32 87->132 dropped 222 Antivirus detection for dropped file 87->222 224 Machine Learning detection for dropped file 87->224 99 VD8da5lH.exe 87->99         started        226 Multi AV Scanner detection for dropped file 91->226 103 chrome.exe 93->103         started        106 conhost.exe 93->106         started        108 chrome.exe 93->108         started        228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 95->228 230 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 95->230 232 Modifies windows update settings 95->232 234 2 other signatures 95->234 signatures29 process30 dnsIp31 114 C:\Users\user\AppData\Local\...\nS0gV8WL.exe, PE32 99->114 dropped 116 C:\Users\user\AppData\Local\...\5cJ83Kn.exe, PE32 99->116 dropped 194 Antivirus detection for dropped file 99->194 196 Machine Learning detection for dropped file 99->196 110 nS0gV8WL.exe 99->110         started        180 192.168.2.5, 19084, 42359, 443 unknown unknown 103->180 182 239.255.255.250 unknown Reserved 103->182 file32 signatures33 process34 file35 156 C:\Users\user\AppData\Local\...\FK7vk6SL.exe, PE32 110->156 dropped 158 C:\Users\user\AppData\Local\...\4Gm665LU.exe, PE32 110->158 dropped 266 Antivirus detection for dropped file 110->266 268 Machine Learning detection for dropped file 110->268 signatures36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 14:49:06 UTC
File Type:
PE (Exe)
Extracted files:
226
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25lzpohodkrt7gjaczikt2rmlrg6s6xqj3q6ol427hnv6ikumfpq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:smokeloader botnet:grome botnet:kinza backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan
Link:
https://tria.ge/reports/231024-r6z91sfd65/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Amadey
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
2ac190933aff3c654a5e1f4bc8dfdfed2035bb5b254cec23c5b734a3a3ac81fe
MD5 hash:
ff668a9df3e6670446cafa2f44bd357d
SHA1 hash:
83e908ab769fbc1c7ab500c5ce0f28f93486d86c
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
SH256 hash:
5b1c05cc417141417ee1758cb5ec399d5dfd500d3914db28cfa434653096700e
MD5 hash:
4b44a32c8a3a0c5725dc3fa5ceb871aa
SHA1 hash:
d1b2a4f113e3a8d5054592d34db2675f5a4b6066
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
Parent samples :
4fe99e05e3b7271ef29da9e1cb1e2d05d6f04d6e7e689b3527f00685fc70e269
7eefed8a6ecd2a632fbf67fc816bf8998e5aa86442be7fdac54132b84fa357da
a05546548da00df987c5804ecc1ebf8db495169400dec9794ddde20a86e71f4c
5779207515cf9fcdee8d4fc24b6c372f8dff076176467a2c0f5e67c50a556b2d
fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f
d231b769eb36718f09c460cef8792b92bc43a4e929b89f8a5549e0edc5f7e458
4fd71f957838a6aac97d702c479afd6c203c8420eb6240f3694e77a847b5c8fe
23e93ad6fbbe1a721de5557b6595c428a23b68a86682352bdd0ee63903afb520
6d3d8301ea3c4550e46fe6bc967f18cdd2711793744e2a98e129158e2ddddfe4
c299af8fce28253ebad572e13220aeee09810cc028e81513039cdbe5b0362517
d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
38a0bbea673c67f549f82588e21a2ce397d92f9fa3cbcd198a62c8f0df3e4b50
b132a66597c0fcc9b02a9146e7e58b3dfe2c0d38d59389a1a945791790a71eb4
SH256 hash:
2a593b12879662de94fc652f11c95e80407632027e362a930dbd4b6f1c693488
MD5 hash:
9347f33eef0827825f1ce3a34c0c0355
SHA1 hash:
68bec3496f3d88e434a83b7b645ad6bc8b16ce8d
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
SH256 hash:
c339c4ac79307165ccc6411638027046e09fc3299295f2af04dd432821d8433c
MD5 hash:
68e1c0be213c7f7e134ee90c235d27e3
SHA1 hash:
9f21090813059169d6136f23e6c4705e8fb8f577
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
Parent samples :
4fe99e05e3b7271ef29da9e1cb1e2d05d6f04d6e7e689b3527f00685fc70e269
fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f
4fd71f957838a6aac97d702c479afd6c203c8420eb6240f3694e77a847b5c8fe
23e93ad6fbbe1a721de5557b6595c428a23b68a86682352bdd0ee63903afb520
6d3d8301ea3c4550e46fe6bc967f18cdd2711793744e2a98e129158e2ddddfe4
c299af8fce28253ebad572e13220aeee09810cc028e81513039cdbe5b0362517
d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
38a0bbea673c67f549f82588e21a2ce397d92f9fa3cbcd198a62c8f0df3e4b50
SH256 hash:
007867122e4c513a520b54cbec4d4e74f8343673cdf114140d787b88a46049c4
MD5 hash:
16a0c2d9243033af154805cbbb786616
SHA1 hash:
dc2f36660c1cb5a45312d18593a2ad2f0a15731c
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
SH256 hash:
d75797b8ee1aa33f99201650a9ea2c5c4de97af04ee1e72f9af9db5f2154615f
MD5 hash:
a48ee65d27f3825af413145372e61b45
SHA1 hash:
8b400c226664793d21762f99839157beec32a80c
Link:
https://www.unpac.me/results/9c5b1cb3-08fe-4c2b-8e9a-1081bdf6a751/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d75797b8ee1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2722824/
Cape
Cape
https://www.capesandbox.com/analysis/456013/

Comments