MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
SHA3-384 hash: c294e99d979abe012ff14e06792b0e67d755b270c575c036f8a9c814b8fbd83cc75f20083a0369d19276026a2bfcb3ee
SHA1 hash: 3565d8a9b62761b1272239a206a5ce6d66eafd9c
MD5 hash: cc6492bcf288a74f41d2d683f8b67a0b
humanhash: zebra-apart-magazine-failed
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'981'312 bytes
First seen:2023-12-16 18:00:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c5a3bc5dad2bbb538cbb07966c1b7b98 (1 x RedLineStealer)
ssdeep 24576:vhjVPw3Q+ZW9gIQkehHpEZtxu6PHvNW6a9Dhvh26l1I6tN3YSDmUQ:vhxw3Q+4QJhHpEZt7HlW6a3vske
Threatray 2'127 similar samples on MalwareBazaar
TLSH T13D953FD172F90B59F9F30BB856BA6612087ABC6ADF11C2DFD250504E492DBD08970B3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
US US
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
https://leeziptv.com/davivi/release_ver9.rar
Verdict:
Malicious activity
Analysis date:
2023-12-16 17:37:39 UTC
Tags:
privateloader evasion loader stealer stealc risepro lumma opendir tofsee botnet amadey miner redline smoke smokeloader sinkhole ransomware stop glupteba trojan socks5systemz proxy xmrig g0njxa
Link:
https://app.any.run/tasks/c8867ec1-e1c8-4eb8-ab30-143c048e42a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468075/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Win.Trojan.Stealerc-10014035-0
Create hunting rule

YARA.telnet_cgi.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed rat
Link:
https://www.filescan.io/uploads/657de5e1b4e856b7281c350f/reports/a65646ea-7523-4dce-ac5d-32e29f3976a9/overview
Verdict:
Malicious
Labled as:
Kysler.Generic
Link:
https://www.hybrid-analysis.com/sample/fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/624756e0-13b0-4af7-82e7-0a7e1839042d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363462
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-12-16 15:56:32 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zthjyrycliaulqkdv7jyyzksrkini6s4uzdipzwx36eyh7w75xq._file
Verdict:
malicious
Similar samples:
1b6be2cdcadeda08283cfb8118e70e5a847c7070917fd3482cf870e0b729dfe6
RedLineStealer
48eb3ec3e2861155e7452daa59c6b022f15c3927bcd482fe15b0827460e58c6c
RedLineStealer
70655332d3dbe7662fd0f0035989cba7aae059b53df195c92d5234c01ead643d
RedLineStealer
80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
RedLineStealer
d84228bc8874974717b8a2a3ad178b09ca535aa6e8387e6fbc3f5199055fa750
RedLineStealer
fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
RedLineStealer
+ 2'117 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:work1337 infostealer spyware
Link:
https://tria.ge/reports/231216-wlwhjscdhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.33.191.102:21751
Unpacked files
SH256 hash:
23d90168f9df48907d2004e36bde0a1dbd14c1f8a343077ddb7456c86a91245d
MD5 hash:
998332ffee539ada102221dbb82be53a
SHA1 hash:
2d1cec41f83656aced29dae5fdab8e6470d66f47
Detections:
redline
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/555022f9-ba3d-4477-92ee-f7824e3f25ff/
Parent samples :
e2ca778df1ceb5c82033642a14a8a0c4e97dd2855c81a841c25e88253e6bdd24
b27c6dc1308d26bfd3aaa4d199e4c4434d00ed8c131161f3bf215385c2c7672f
4a3add71ff563b2c20d1dc3d12cccca92decca1009073a9d9738b789c60bbd1c
4d1b56bab9b7698d67f2ee506f3339feb9b74752ebb9c36b89ddc52e6ff3b06a
98416948da54776f0e0aa636096b78fca785cbe90f29f1ddbfee62d56b20b950
fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
SH256 hash:
fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f
MD5 hash:
cc6492bcf288a74f41d2d683f8b67a0b
SHA1 hash:
3565d8a9b62761b1272239a206a5ce6d66eafd9c
Link:
https://www.unpac.me/results/555022f9-ba3d-4477-92ee-f7824e3f25ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe6674e23812/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fe6674e23812d00a2e0a1d7e9c632a945486a3d2e532343f36befc4c1ff6ff6f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2739787/
Cape
Cape
https://www.capesandbox.com/analysis/468075/

Comments