MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
SHA3-384 hash: b46f7f0fdb76cdd9710181f26f25d0d2bfc2dbbf79cafc6299e781175d69537adb3b5119ad8f79b0da45ee20672ad30e
SHA1 hash: 2a3b2c42f20dbc6fb1367c334321c495f88623d0
MD5 hash: 3879291a4c9563f65101294045b3b427
humanhash: low-muppet-angel-wyoming
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:439'808 bytes
First seen:2024-09-09 14:19:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:kRxd68obL/r/PZKaqddSqkq16TT0ZSbmhGEux:kRfoL/DZGSurZSKhS
Threatray 8 similar samples on MalwareBazaar
TLSH T14194F806F605A6E1D19607F9D0870B1443B3F481E3B7E606F99D235A9D02BBDEDD882B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon f8d48ecd4fbaccf0 (2 x Stealc, 1 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/lopsa/66dd9b656c6a0_cry.exe#kiscrmeta

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.105.223.249:29986 https://threatfox.abuse.ch/ioc/1322392/

Intelligence

File Origin
# of uploads :
1
# of downloads :
434
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-09 14:21:39 UTC
Tags:
netreactor stealer metastealer
Link:
https://app.any.run/tasks/c7c7710b-f862-4ff6-aa98-811df78cfc2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.16558.13650.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66df041476bc4542b0494653
Tags:
Generic Infostealer Stealth Agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file
Stealing user critical data
Forced shutdown of a browser
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor overlay packed redline
Link:
https://www.filescan.io/uploads/66df041462e2338211082bf4/reports/4b450686-630d-40a9-9039-a2e852d5d539/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a71b6f6f-903d-4610-bdc4-191541ac751c
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508060
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the System eventlog
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-08 15:02:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7m4zjwaqw4qxmsa4f4sll7wrkbbsw6ek7wgqb36k54q4ecnasybq._file
Verdict:
unknown
Similar samples:
37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
RedLineStealer
61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d
RedLineStealer
a9bf49d95c4e6d3c9e33e5de82a721ef8f02790daba204d9816b1d581a46b345
RedLineStealer
fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
RedLineStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240909-rnd9tssemn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f75ba7b1-3ce0-4471-a11a-ed1a7cac0815
Unpacked files
SH256 hash:
fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
MD5 hash:
3879291a4c9563f65101294045b3b427
SHA1 hash:
2a3b2c42f20dbc6fb1367c334321c495f88623d0
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/81d5a2ed-2c0d-4ffb-b047-b9d08b57580f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb3994d810b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3164233/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments