MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed
SHA3-384 hash: f81d0258c4bfaeeebbe6aab43f1cf19ced5769894ee1631585c325c48a4d961ce7ddd96150e81e529222df9b3015dace
SHA1 hash: fe3ae0ba88f77c13d1abfe4d4f06af758ea074d8
MD5 hash: faaf13f6a1dd574396fea7e084504150
humanhash: blue-happy-wisconsin-kentucky
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:448'000 bytes
First seen:2024-09-10 10:38:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:Fh1Lk70TnvjcH2Pn9TU15SmQ4fi0zm9U5CsTBb5r:Rk70TrcH2P9TU1EmQEjz95Csdb5r
TLSH T1CB94C010B9A0C5B6C42A0470E8B6C5F169363D65D76545C7B58C7FAEFE302F0AB3A2C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 6575696149494549 (5 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/lopsa/66e010f468498_otr.exe#kisotrmeta

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-10 10:41:30 UTC
Tags:
stealer metastealer
Link:
https://app.any.run/tasks/295aaa36-8885-4551-8b38-f1a92ff708b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e021c876bc4542b04953e7
Tags:
Infostealer Static Stealth
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f0ed573-a18c-4d22-af3e-907f35e7c6e4
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1508582
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the System eventlog
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-10 10:39:05 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gwu3mq3j2xwsht2e66ltfnshdg6qrxm2rjwdep4zyyd7z3mfpwq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline credential_access discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240910-mpymmszbpp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
RedLine
RedLine payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c2d6c0b-7b66-410f-a591-43bf3cfd89a2
Unpacked files
SH256 hash:
4b5b91cfaad6232b8c83b50f87a3618889dccda6b5706561636c2c2655b45a9c
MD5 hash:
25e3b22d2b87cd3f78082f3873134f0e
SHA1 hash:
da5c3c857b5aa2535768edc5837746f632791d0a
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/3b146792-ee8a-4836-8159-924dea91e56a/
SH256 hash:
f9e72d4de11267ab11595297bedf35ce104afc99b2f3bcc91abbe63377a9d2e2
MD5 hash:
eed9500535b6d1c8b87a092a5011978d
SHA1 hash:
53342c1c05864380c0a7c318abbd3532eedde0cd
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/3b146792-ee8a-4836-8159-924dea91e56a/
SH256 hash:
d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed
MD5 hash:
faaf13f6a1dd574396fea7e084504150
SHA1 hash:
fe3ae0ba88f77c13d1abfe4d4f06af758ea074d8
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3b146792-ee8a-4836-8159-924dea91e56a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9ad4db21b4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d9ad4db21b4eaf691e7a27bcb995b238cde846ecd4536191fcce303fe76c2bed

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3165437/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments