MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SHA3-384 hash: ca5cd810f43daaa878dd077079adc23dde50240e1af4dfc58a63e2c0602cc8aa15e06bf2cf7c56cc4e27c2b6a06a0165
SHA1 hash: fb5ed48a80131043c4dd2e4ac69b4b38578f9753
MD5 hash: cfbb3be155b12d0cc69e3d932fbb81eb
humanhash: sink-california-lemon-pasta
File name:cfbb3be155b12d0cc69e3d932fbb81eb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'928'192 bytes
First seen:2023-10-06 14:15:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b092678fc438a3bc6ea71ba0ea4cfa08 (12 x RedLineStealer, 4 x MysticStealer, 2 x Stealc)
ssdeep 49152:KSgFimILMhAQF8g8O6a3vyTcibvlDTCsWf:KSgig8phxbvlDOsW
Threatray 229 similar samples on MalwareBazaar
TLSH T1BB950B1166F94B59F7F34EB85ABA6625087AFC69CF11C2FF1151908E0820EF48971B3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-06 11:28:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/00b5b53e-43ec-4eac-8726-8e3700983763

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61882.20261.29436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652016a4a31588d184f2fb0c/reports/ce67964a-cb3f-468f-910b-27576906de66/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7627c36-c5d5-4190-8cfc-45cbe98a13bf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321008
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 02:18:05 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7u34a72rt5jc5nyxunzctfjf6ztuhg4lbunk763hbiar3o6nldza._file
Verdict:
malicious
Similar samples:
108cf61a1fb5f4f20c05e79717ec74bafc4b715f32705fa5e243ecd1da7e33c0
RedLineStealer
2396b598bc772acaf763c343493262acf07ee418288c9f12590451d491c25e0d
RedLineStealer
3580ee6c69a90fc6abdb279a0dc049e3244b651633a370a88082fa6b6c036c93
RedLineStealer
3b9edd34b369ce1a86c5a19058907c9bd7c656330d39cbf14e6a6f3ac717f12d
RedLineStealer
4e13187cf3b12225f1d1f6b5522401d26b6a4cba66aa76c559d278d249bc29da
RedLineStealer
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
RedLineStealer
ca7017068fc3c6715a095bf0545d359ecc06c426c6750acd6e24148d5e942791
RedLineStealer
d78ba749c5162b591ec8b2e8e70fc758bd545f86c05b05c47d4d0388833bd498
RedLineStealer
e1ce19b2eeaf09c5c4e7286b813f10f61ebfc7a27b156d5c8d536ceb830ae0d6
RedLineStealer
fd42fff03752fe763d0e90f0c164ad376edaf3c24b7bc872c70ecf236ebf9f10
RedLineStealer
+ 219 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:frant infostealer
Link:
https://tria.ge/reports/231006-rk5bvacf6z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
81cba4a3887b1b32dac54b2872641ce273ce728c8d0dbd8f89dd59504359a3e4
MD5 hash:
e394a67b4cc60338df57a6cee5848101
SHA1 hash:
16ec2a17b34bf0bcb8985b2eda308e9ba82fdd92
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ded02ee7-e251-4f17-8d40-e1352dc8dd33/
Parent samples :
935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SH256 hash:
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
MD5 hash:
cfbb3be155b12d0cc69e3d932fbb81eb
SHA1 hash:
fb5ed48a80131043c4dd2e4ac69b4b38578f9753
Link:
https://www.unpac.me/results/ded02ee7-e251-4f17-8d40-e1352dc8dd33/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd37c07f519f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments