MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008
SHA3-384 hash: ce220cb38a0739877453dcc17d50cbdd9ab8b8114008c018312f25b6d0922eb9c28406c833f8262dc18088a0ba0b590d
SHA1 hash: 61c5f6bdc5c91ea4491091c27fcaf37a310fd947
MD5 hash: 6f7476fdc8edc93c56f3ee86c8212165
humanhash: wyoming-twelve-zulu-helium
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'627'968 bytes
First seen:2024-05-28 14:18:16 UTC
Last seen:2024-05-28 15:37:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:ObICdg/NcOFxBdBSa2/9joVkopxEBlexkecf:Sdg/NfBdga2/+V/pIlexnc
Threatray 1'725 similar samples on MalwareBazaar
TLSH T12E26CF0BB4B44B56C2E80636E1F084645B768F9D2B23DB3FF691332A1C227DD994D58E
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 6878ede0743a9c9e (1 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: https://vk.com/doc863235369_679721831?hash=cPV3De4LOzeoPDds0EDZ95aBsKsyccbeOVOlJwbYGlD&dl=eRDEEh3ZeBHQaRDdnPsqZdrVe6xRR2O6qJBvZznhY9g&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008.exe
Verdict:
Malicious activity
Analysis date:
2024-05-28 14:20:50 UTC
Tags:
redline
Link:
https://app.any.run/tasks/33b6ea81-90de-4f32-bd57-b1c154755ab8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.KLE.gen.Eldorado.17260.27410.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6655e7e63d0e5a324e7653fcwin10vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Forced shutdown of a system process
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6655e7db9c0b71aaf52a2c0b/reports/0f6e4667-ac24-4ab6-9551-7840dbcfe5a9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17faaf68-3467-4441-9e59-7d5d4d1b1319
Result
Threat name:
PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448922
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008/
Threat name:
Win32.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2024-05-28 14:19:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7njrfzay4bmqkj6wag7vbgpbqw6t2xoddo4n3h3s32wsa732oaea._file
Verdict:
suspicious
Similar samples:
3835fe3e13b67d406cc7c1412098bbf2fcb28371c6628539ddf46d98aa716ef2
RedLineStealer
682e5a143bf1041ee0d8cf47c9d8c0aad22cb9fa2cd353dbe367a80011e9a158
RedLineStealer
7d06266d2ba7653d4ea295fa3e1df7a89b3194735e3cc3b5cd2964a3f4d1f730
RedLineStealer
8a4620c027661d01fe46cc055f621000b7e6bb681c159e58cc0d59c681e06433
RedLineStealer
8b3ee970a1b172952a665247aa5ff590d12d8f4b33c0775573044595df6383c9
RedLineStealer
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2
RedLineStealer
+ 1'715 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) infostealer
Link:
https://tria.ge/reports/240528-rmtywshh45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
5.42.65.129:2353
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6b6bab6-6ff6-4bd1-97e0-d493c41e948e
Unpacked files
SH256 hash:
d1cc68a446eb9d150a549924d62b1c85eb10d46ccd0bfe0b77a9084d9350c567
MD5 hash:
6839c92ac7f4d7e465318c9f17cca491
SHA1 hash:
ec5c15f284cc19c624657e2bba7b2b122cd85184
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
SH256 hash:
b71e0651b18c32eaf320790f2f2f4202af2f49d1b823481762f766c8c942f360
MD5 hash:
76507677a304df170dbdb4022b240561
SHA1 hash:
eb1df880f9d47eced7dee5fa5a475d683579aac7
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
ad318d1faf75ee2a2c57b5070bffe1f346c6aaf4ff85ff215f03fc251244a82a
MD5 hash:
6dd4be579c73eda5a8ada275ce8e64c7
SHA1 hash:
cc938abbfcd030856efd2178f1743f38810a19ab
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
SH256 hash:
665257d2e600180970af272d6ec682ec1a42959de375813a3f358efce8f2458c
MD5 hash:
b7ef46030488cc9077ee3aee05019001
SHA1 hash:
a9ef730de2589b8c7103c181ea3e794ae3c52698
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
Parent samples :
fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008
7090723b5821d015e801d537ad745b7de3046ade870b4fd7a3ee8a5ad7d16a46
665257d2e600180970af272d6ec682ec1a42959de375813a3f358efce8f2458c
b32a0ffce29ba355413cda01c14d26c0c806dfad1d82f81de95aca62119bfb03
SH256 hash:
68a1a48d88f4f7f055a4f1364df888717499ac60f36ec49701110b19bd8895f5
MD5 hash:
6f5c12cb7c573d09d773f4afd153a3bb
SHA1 hash:
9fa2d25774c63a79116624b65290edae4c5f85e3
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
SH256 hash:
be4059c7474de155e025632dd41e1371262ab7ca4be7cc5c3043f29c2ae6fa0f
MD5 hash:
59b76b4842e33491edcc9f062ad597ac
SHA1 hash:
80af89277bfd09834a30a0e72830ac5623e247ef
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
SH256 hash:
fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008
MD5 hash:
6f7476fdc8edc93c56f3ee86c8212165
SHA1 hash:
61c5f6bdc5c91ea4491091c27fcaf37a310fd947
Link:
https://www.unpac.me/results/d9572d58-e909-429f-a444-0ecb0f625dd6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb5312e418e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fb5312e418e0590527d601bf5099e185bd3d5dc31bb8dd9f72dead207f7a7008

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments