MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206
SHA3-384 hash:	5405772fb526cbc657aab149f275f6bb645ef92370631b120f381bc8b4d35aef98762ab5d09fb7de03411f560b4817ea
SHA1 hash:	bd4f464a160d2b92e23e3eba28ced4ec6c45262e
MD5 hash:	5bad484faa7a3f0756ace3a182b3f258
humanhash:	lima-tennessee-green-sad
File name:	5bad484faa7a3f0756ace3a182b3f258
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	1'310'720 bytes
First seen:	2023-06-01 02:01:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	89b3a6f6fa95f20a6ae4cdbb8278d185 (3 x RedLineStealer, 1 x DCRat)
ssdeep	6144:8O6wUSpLFcKWBxvp+HXLAOqsfRDho101lMg+RiPVTNP8Hig1qXbZ/PyUiM:8xSpLFcKWxyb3++lZPRNUQ3yUiM
Threatray	8 similar samples on MalwareBazaar
TLSH	T10255CF1176D1C032D47229320AE4EBB59A7EB9700B669DEF63D40F6E4F342C1D631AA7
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

278

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

5bad484faa7a3f0756ace3a182b3f258

Verdict:

Malicious activity

Analysis date:

2023-06-01 02:04:43 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/a9186b21-7214-4971-b320-25991d9924fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/394230/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67310247.456.20738.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Modifying a system executable file

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Infecting executable files

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88858/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6477fc1b13d2e2626406c6bc/reports/dfc53d66-e050-4c98-b04c-745ce4fb780b/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer RedLine stealer

Malware family:

RedLine stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08c832b8-acdb-4e76-b51a-bc6fc2034fdf

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1246495

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206/

ReversingLabs TitaniumCloud Win32.Trojan.RedLineStealer

Threat name:

Win32.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-30 21:52:49 UTC

AV detection:

21 of 24 (87.50%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3mnitycy5k3nkpal5xwdgrbyukxnlup3nypaa5yzkym36ziweida._file

Threatray malicious

Verdict:

malicious

Similar samples:

296d7e9ac7f08f53dfad9c95d3859fe022d0bdcbb32d6d08d4250ffdc0e7a6fc

RedLineStealer

2ffc40538840f89e0cd93590fc184f4f168187b717631db17294bebfd3577f5a

RedLineStealer

4b96a2bc629d40819ad85f26579a704999ca4e9d544ee83e7e89752c7279891f

RedLineStealer

4c087150a0e17c46885efeced99be0b2a3f0f3d6209154aabd3c3871f1ec77d1

RedLineStealer

52f7559453685d0c3f7c133af17d39ae40b09f403b792e1065d2529a5b6c3992

RedLineStealer

5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d

RedLineStealer

6591dc0a644a039cd91e77f5d702799a0d98d0cb5aa80296f9514b30b30e3823

RedLineStealer

c03768c75abb3f21404445447b465dc965aa9df7149d174997f69eff45aaaebb

RedLineStealer

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/230601-cf43ysce2t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

UnpacMe redline

Unpacked files

SH256 hash:

43c09e07ce73caa5d1a5c9a717c761bf73522d49387a11bd45c2465b83cd3535

MD5 hash:

7bd82742f784f115aa5077d35ed59b90

SHA1 hash:

6d03e20cf7fe5cce230589cfdb2cb3ccd1d8a85b

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/e400b36f-1985-4a5b-aeb4-561359367c29/

SH256 hash:

db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206

MD5 hash:

5bad484faa7a3f0756ace3a182b3f258

SHA1 hash:

bd4f464a160d2b92e23e3eba28ced4ec6c45262e

Link:

https://www.unpac.me/results/e400b36f-1985-4a5b-aeb4-561359367c29/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/db1a89e058ea/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/394230/

  

URLhaus

https://urlhaus.abuse.ch/url/2648398/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-01 02:01:37 UTC

url : hxxp://fdioshjfuiosdfhjsdio.tw-team.com/Fecurity.exe