MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbd26c2dd1ce905135c5f1e33a946956abc1d9c588339d5a129cd86aed651dd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	fbd26c2dd1ce905135c5f1e33a946956abc1d9c588339d5a129cd86aed651dd5
SHA3-384 hash:	237d4221407219876827592f576d55f4276168eb18da2e743089a67b9deb4ce20af0b046836c5789221605963a8edff8
SHA1 hash:	088025b68a926b9e07f92a5661a768a5dbfb7a6a
MD5 hash:	5612cad7cc976d82ad2b94e9be554be2
humanhash:	queen-kitten-artist-london
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	314'368 bytes
First seen:	2022-11-08 21:18:07 UTC
Last seen:	2022-11-09 05:46:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a07bb4b81e6c6d0f72670722ee7e56 (20 x RedLineStealer)
ssdeep	6144:byD1wnLjl+9vU3D1oTnJEiQdZqSrhUAOs8RfooQbtWhzdnXwUdk:byD1w3lIvU3D1oTBOIwoUwtXDS
Threatray	5'548 similar samples on MalwareBazaar
TLSH	T1D464CF00B5D2C972D8B2543109F4EB759A7DB8200B3459EFA7D04B7B4F302D2E972A7A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc760750097_655664221?hash=WUnQOrjmHXZFkuVcaehTsNHbDGpO3WYgwJLgFNHiDdc&dl=G43DANZVGAYDSNY:1667934921:6TmF8jjJooZ4PkFBvToOki6Vozq7zuNoXDpKqTJv9WT&api=1&no_preview=1#bild1401

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-08 21:23:01 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/9feb428f-75d5-4679-a603-5491d69ab8b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330838/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.160998.1051.18695.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/636ac7c7c0dbe6b5f9a4b8d4/reports/6affe03c-4160-40d4-9c84-bae48283fa07/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d468b56-94e5-44aa-984a-6b7e1a1f9af0

Result

Threat name:

Laplas Clipper, MicroClip, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1108672

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbd26c2dd1ce905135c5f1e33a946956abc1d9c588339d5a129cd86aed651dd5/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-08 21:19:05 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pjgylorz2ifcnof6hrtvfdjk2v4dwofrazz2wqsttmgv3lfdxkq._file

Verdict:

malicious

RedLineStealer

3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b

RedLineStealer

5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030

RedLineStealer

6b286ebe937d8a7057dfcb7110ef0badd4e28a19d264a1b865d1573690e3c4bb

RedLineStealer

d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d

RedLineStealer

e70ed589ed297cfb772afa999b6483c72ad0f68bc8bb6b06d94ba67f497417e2

RedLineStealer

+ 5'538 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5556567494 infostealer spyware

Link:

https://tria.ge/reports/221108-z56peabafk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.6:8362

Unpacked files

SH256 hash:

550bc26ee9d99ec311235e4021ecc69a5b33e822e452c4a5340735fa47de11e0

MD5 hash:

60c3510212ab006d3d6005c666aa196e

SHA1 hash:

b3a2db52df99e2378b9e2d20d6acafb289df122e

Link:

https://www.unpac.me/results/ab67f7b1-e871-4021-8f50-f08747d335bc/

SH256 hash:

fbd26c2dd1ce905135c5f1e33a946956abc1d9c588339d5a129cd86aed651dd5

MD5 hash:

5612cad7cc976d82ad2b94e9be554be2

SHA1 hash:

088025b68a926b9e07f92a5661a768a5dbfb7a6a

Link:

https://www.unpac.me/results/ab67f7b1-e871-4021-8f50-f08747d335bc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbd26c2dd1ce905135c5f1e33a946956abc1d9c588339d5a129cd86aed651dd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/330838/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample