MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
SHA3-384 hash: 8a94beaab5b5fd1d0570c48f75e76ef585e130ce7fcd64b53fb08872ceac69b84c4ebaf894224f9c71c59a8445bc78e4
SHA1 hash: aa738052338a7f8515a0f0dac9f9883865c3360b
MD5 hash: eb68d581a0d9470c568d68c1dc6c457a
humanhash: tennessee-michigan-ten-don
File name:e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:388'096 bytes
First seen:2023-04-06 11:49:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e995a4cf6af4dc2215ec1060df8374d2 (10 x Smoke Loader, 7 x RedLineStealer, 2 x Amadey)
ssdeep 6144:xbvgogp56pv5kHidlxQTx4F97PPoFIkenFZG1nr:xTghpYpvOCVLLsZqFgr
Threatray 138 similar samples on MalwareBazaar
TLSH T15D84BF1E93F46860E5734732BE1EC7F42A1FF8611E577B5E2689AA3F0970662DD62300
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 084c4c56540a0919 (1 x RedLineStealer)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
130d0256a34019d5b47c5d12bc79a5bc.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 03:56:46 UTC
Tags:
rat redline trojan amadey
Link:
https://app.any.run/tasks/27026b78-7073-448d-b2ab-863a18535358

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380633/
Detection(s):
Win.Dropper.Tofsee-9994567-0
Create hunting rule

Win.Dropper.Tofsee-9994568-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult crypter greyware lockbit packed ransomx zusy
Link:
https://www.filescan.io/uploads/642eb1eb2254dc8912046f99/reports/e9ef240f-0e24-40ac-bde2-d93293b87521/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56c8a754-3bf2-418d-9313-452c973a0be6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1209632
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 03:56:09 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
31 of 37 (83.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4koeddbq7rj7ob7nj53nwutbwikfrcj5np62iebgkad4gwjtyuuq._file
Verdict:
malicious
Similar samples:
0f931e984c46fc75191a17436514595218d8b88b73ad84f9ff68131cb463b387
RedLineStealer
1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360
RedLineStealer
6573162f612754c9eab66e38cf9887f9ea4e3ce678058a1c133644e41c192d99
RedLineStealer
89551bc135efb0262d763796add54f730378324d9acf145ff32ddfe18fac7001
RedLineStealer
a2703a938720483ba3ab69d8c271bb409266e2683fbd0124ac5b22704b49726f
RedLineStealer
b82fcf368bda3ca3dc3909a3962c32c9b778a507b814faa4c9a7e685ab51ca21
RedLineStealer
cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343
RedLineStealer
f7f0467dca35ef41db9f63fa93884039a994862e15698207384ab4b35acb7aad
RedLineStealer
+ 128 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sony infostealer
Link:
https://tria.ge/reports/230406-nzkzzach55/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.33:4125
Unpacked files
SH256 hash:
121e86047a4c2a3a3510b693d5b58f236733799527537cb93185d58057a50ae1
MD5 hash:
0553c447c63f0bfa07ab82834f601004
SHA1 hash:
77bb489346633d1e48cdae4994cf9207e037e12f
Link:
https://www.unpac.me/results/6385e9e8-2762-4410-b7c6-fbd444f0bd8d/
SH256 hash:
fc149acae1d14442deae885355e11a59c04022c7be43939b354d175ed793defd
MD5 hash:
d6498df31de7da7a3a40f455dec3f750
SHA1 hash:
46124fc487cc340c30555af0418171ccb97b3e88
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6385e9e8-2762-4410-b7c6-fbd444f0bd8d/
Parent samples :
13b5ef24472eb8dcdb12adb23ea8cbd08285ac279fd1246aceb4b8adfcaa30ac
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec
b82fcf368bda3ca3dc3909a3962c32c9b778a507b814faa4c9a7e685ab51ca21
7d6e4a6d983bcdde36c4a000f4c5fdc5cc47302c732b865e6d75c4b5a7210c37
885cd71a5c8ff7e020f3fae0d6b09ae4e6738ef102df163105dbbba7cb0095ac
030bbce7d3b72a04844f1c73d756a2d5cfabde58c902214c36ccc1737b1759d3
d0bbc63fb5cbbfe796106e768883253d6839e20106e436368ea36dbd9488fd94
aa0d375e2bd7a3053398cdff8b475f63d09c9102190d964021c6b6384a4a69b8
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
6468b1cbd0c1de3f8dda0fdcca9c585ae8c33c6e60a1837e3435e7d364cf3708
64fd046a49f125efe3475274248f92e7c8165d46038509a97f53b8046e1cdc7c
634915b5a110d6feba5ce01b0c7f0053d5bb86e1644ddeafbed09bcf00f26754
6c616ad906eaaf5380c6c3343e5b8f4b25291d2d8c101a4916e3eae1276ee927
22f8e968a506352f6bd494eb2022633f7f5aa63c8fb3dee3a18b70be139822e3
fff6a6eb6660003361333231bbb001ce7c99396ae603f3d3568928b9df30cc10
b7c6c872fd2112e29b2bddd7cc95ebebbcf07805f718b0c4757bf1463ce397fc
6998af1d9f903ff953b4d0ad8ad7fbcc9a257f786d108a13a0a3b308a4e1c3b7
442383819053791fd1d20cfedff61e4ddd39257d4c7644f1ef5cdd9695a52a28
f5b3c296484c5e8aaf165b36f62f5bca75acd3c452603fb262ff334c8a65d390
a4ab0631a77553314cfe341ae9bb7ac3e2886750ff544673c238146d450b79e4
603a78148b4d2eb02e7667ad7c14f5c788f77792c7fefa4f2400d789785446c0
35984772051be6bcb95f93e5df8cbd243074e68d364db91440da706406dd6ee4
c8a83a59adf0cc70f7e283b74866cd00747030e34e18cf1367a9b3ed76e00efb
5d0c2c3b7c8aab7ad532b6c0b5ecd7b88f33106125d0fe5b5e4ea7136520e8cf
0bee8c6c071a4c7301b26123a1544fbedd43ea2f0fe169200f53ce67d9e0ea06
f75e5636c02279031def2844cc529c9e0aa8a2c82a81f18e36c1701317d9ab4e
858a5b8a86221a0f5ee7ef04e6837db21c5cec9f93037ad6009f1c52250ab40b
2e7d10e7f46b4e43878693428315971c874892129af53911f7ed52d4d4005c2d
2fea6af2b1d327967a46c3228132be457cfc6d670b7e2bbd50d546d844fc77c1
601207ff2909da97272ca4d22cd8ba62012fe4292e902df7b0c3af0b1940c46b
34c064d8fd5046e9b2949e7cedf75d5882581decb1915c902d43ad70e5cbac0f
39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
30f1762d1da0024e19451c8dfd306ce81eff20dfc83122bf765fb9cd5895c4e1
e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
SH256 hash:
b4ae8d22425a3887f58385cf9badb14020e00c0709e1e00a768f857b12cfbb01
MD5 hash:
423c9ebe6977b239063328896bb591e6
SHA1 hash:
08a43e54bb6ad89c7f7f47ca171322134787dd0c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6385e9e8-2762-4410-b7c6-fbd444f0bd8d/
Parent samples :
cb2a011220c6050942b327244c7b3df1b0652c9cf1c18b64f71d2b08b654e6c8
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec
cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343
6573162f612754c9eab66e38cf9887f9ea4e3ce678058a1c133644e41c192d99
89551bc135efb0262d763796add54f730378324d9acf145ff32ddfe18fac7001
7d6e4a6d983bcdde36c4a000f4c5fdc5cc47302c732b865e6d75c4b5a7210c37
885cd71a5c8ff7e020f3fae0d6b09ae4e6738ef102df163105dbbba7cb0095ac
2267b8157a975f8c3c687dce27c5212de7f0d1800c0baca7dd568d5644a12b89
ff556d834094729d1d1bb1ff1a2c9efa30d8da5cfb6d2745f82606dc908e4054
6b461f6d0e734652d07e41d896922672778eab5eabfd775b7bec54683116f67c
aa0d375e2bd7a3053398cdff8b475f63d09c9102190d964021c6b6384a4a69b8
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
c3e011a86632545295b8653faaa5186b8bf5899ffa07c9be4c1b809f043e07d3
64fd046a49f125efe3475274248f92e7c8165d46038509a97f53b8046e1cdc7c
e5695e72ba1c8e424955676b346a790e356ea647830df26be721ea039345b16b
34171e8efa5e3091775e8f47e35690a34be7da2905f6e9acc7d1672372c258a7
6c616ad906eaaf5380c6c3343e5b8f4b25291d2d8c101a4916e3eae1276ee927
22f8e968a506352f6bd494eb2022633f7f5aa63c8fb3dee3a18b70be139822e3
e88df728437f4b3dfb47b686246fc520bb9bd03364b34590502403008e2b4faa
fff6a6eb6660003361333231bbb001ce7c99396ae603f3d3568928b9df30cc10
b7c6c872fd2112e29b2bddd7cc95ebebbcf07805f718b0c4757bf1463ce397fc
6998af1d9f903ff953b4d0ad8ad7fbcc9a257f786d108a13a0a3b308a4e1c3b7
cd2975720f2128167c2550cdad7c52fce440c8fa4c2062c1bca275915b73ad93
603a78148b4d2eb02e7667ad7c14f5c788f77792c7fefa4f2400d789785446c0
c8a83a59adf0cc70f7e283b74866cd00747030e34e18cf1367a9b3ed76e00efb
5d0c2c3b7c8aab7ad532b6c0b5ecd7b88f33106125d0fe5b5e4ea7136520e8cf
0bee8c6c071a4c7301b26123a1544fbedd43ea2f0fe169200f53ce67d9e0ea06
f75e5636c02279031def2844cc529c9e0aa8a2c82a81f18e36c1701317d9ab4e
858a5b8a86221a0f5ee7ef04e6837db21c5cec9f93037ad6009f1c52250ab40b
2e7d10e7f46b4e43878693428315971c874892129af53911f7ed52d4d4005c2d
abb18917606c6031ab4139c3a5da92902af409ab055b48893924ed706b68cad0
601207ff2909da97272ca4d22cd8ba62012fe4292e902df7b0c3af0b1940c46b
cf88c19e1ed803ce213ffd1685f3cbdd787937c918a5dda0f0a2b33d62d18ee3
39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
30f1762d1da0024e19451c8dfd306ce81eff20dfc83122bf765fb9cd5895c4e1
e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
SH256 hash:
e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
MD5 hash:
eb68d581a0d9470c568d68c1dc6c457a
SHA1 hash:
aa738052338a7f8515a0f0dac9f9883865c3360b
Link:
https://www.unpac.me/results/6385e9e8-2762-4410-b7c6-fbd444f0bd8d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e29c418c30fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380633/

Comments