MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88
SHA3-384 hash: 18b736d5f8a5c9c96de807c90209c3434595349a99e55d4613f678f24628f20862654a8b57f18b3efc6cc73ba982c702
SHA1 hash: 1cb0ee4fce6a290d1c366dc799f06fed801da9e3
MD5 hash: 2756f92ad3e37d7db6e1000d7e177411
humanhash: romeo-romeo-two-south
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'475'008 bytes
First seen:2022-10-25 18:31:14 UTC
Last seen:2022-10-25 18:43:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5f0f18aac36409a08519634008f3b24 (12 x RedLineStealer, 1 x ArkeiStealer, 1 x RecordBreaker)
ssdeep 49152:tjGhvTEtaEX+xAaGPJMsmcWkCThJ3A5HANSk7t/D+xE7WTC+RYF:RGhvTEtayJM5kEjaHdk5Ky7WTz8
Threatray 686 similar samples on MalwareBazaar
TLSH T1AEB5F122F9828076DDE311F1C1BDA52D212EA1701F2149DB5B44ABF8EEB05D21E36F97
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-25 18:43:01 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f06c8234-da7c-4cca-8c64-c8b98439c6fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324110/
Detection(s):
SecuriteInfo.com.ML.PE-A.16551.14024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45467/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e56e2e03-3978-43a6-acc6-a62a5a2ebfde
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097823
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-25 19:13:14 UTC
File Type:
PE (Exe)
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acfgdo4i2itzdm5kpi7jfphwhfclyocd5gxz5p5eom52vthhfkea._file
Verdict:
malicious
Similar samples:
238b79234a719db1d2dc3c2aef8f60bcf09a6b70acb6aea2b55ff090ce95cdf1
RedLineStealer
414c9c9b5c0910ba13c53ea9730e3cf67b906ab7e6a5f340ff8f3f7fb4011597
RedLineStealer
4432a90f67c985a48c470e7b04d59728a766818bf0237b0bc40c0b9837768bef
RedLineStealer
9ee4629c44106c3a802d02cfa1e67ebb15a615a652d4bd087a3c07e8786531b0
RedLineStealer
af59073e2491c0ba8f6ffd994d9e21ff5cb2d037416bd1f7397b67ded01fc2f0
RedLineStealer
dd9d6e2d8ef7d51ba57f8a52c3480e166be83bb30e57ae9a590d6e952d37fe26
RedLineStealer
+ 676 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1310 infostealer spyware
Link:
https://tria.ge/reports/221025-w6ltvaddhq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
79.137.192.57:48771
Unpacked files
SH256 hash:
54869cbab7c7f0273dd9b6aaa1ea0f6e029348909b40fa48b721bc1fa49f7f51
MD5 hash:
5e6ba3cf4b679c1f19b8f0399b6df5ed
SHA1 hash:
33b62204a83c07d1b16b2dbb80e9e72694b6b990
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f1ad430d-da61-4747-ab99-4d1337e359c7/
Parent samples :
c7781cfb523fcb0e2ef9f23b3c47f2fc577f813b0bd945038cf0bf6f8f031d53
e7188a305377210c1d143ed64d0c20941a7674cbc6343c2f59411d1b2b0b3f77
475cd3f9fad6e9ebb0b3eed6e7a9a3c7afdd3821f7b973be821f113c67f79813
629d49bca0cccdac0316eac6ef6a535429ac9fc07fbc667bc9afde3882bbf91c
3d169a74ffc82acef0bc527903959e171dbd2a0a66a069dab0e4a427d08b8cfc
d967ec50a2adaac39b866eca742cd1fb64dea61b8765f3c0a422156f02620e38
57561e4706e899a09407a3b79c58119e8471744480d86e87d82eb3c7e38f4d48
4ea71ec9ce864bcd5ed2fbdbbee3043574aef9e8ab63c7eda7ca5605d9f84021
cb37cfbbc7dd0e12e5fb382602d1a09c5e796057ff7d5cd239115d804ba7bd0d
26493ab1dbaed9408088811666ff1b8aa64d16850ac02af66c3945712995cf48
9debf80908a56bf81aca19b3ae37a134da386b8a4cdd3b8028acca7af88392d8
c25e8a9c0df8bec0f9976e5b81eac807a1150971c719afe2fddc0c98a36f3196
af59073e2491c0ba8f6ffd994d9e21ff5cb2d037416bd1f7397b67ded01fc2f0
414c9c9b5c0910ba13c53ea9730e3cf67b906ab7e6a5f340ff8f3f7fb4011597
dd9d6e2d8ef7d51ba57f8a52c3480e166be83bb30e57ae9a590d6e952d37fe26
9ee4629c44106c3a802d02cfa1e67ebb15a615a652d4bd087a3c07e8786531b0
e6cd08369e8df5e9c41da1e9287e345cd47087fcd772469f82cdbd96e550fd53
d173bb70e924eaf2d7fe85606769051218b371ff8cc99c8d6b107470f4476ef6
2d2c909f0967aa49e9c21746c17372d430fbaaf681c7cf18e1ff1495a66840f8
61d3b6c51c6cfa2a09608546228873b1d8cf0f748eedbbda2a00da0697a125f5
cb0826c27e8d1a3f9a947ad9c24e381336b3388573d3c62c58af5822511f20f7
f6af42d558ad981e86207197c19c4c001f939736a6ccc0778e91e4e8b6aa18c2
4432a90f67c985a48c470e7b04d59728a766818bf0237b0bc40c0b9837768bef
008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88
e5632eeabddd9e66b422a926adba39b75ac5e7885a88d080771763bd1f7d6064
3d82bc9da6da3c016cd8d374c285ee1de7244e8578a845725ae9a24e34bfe831
3a0b837f9f9d9cf1216bc0487e55155d5add79b330b0eb6f9463cb237e5db98c
54869cbab7c7f0273dd9b6aaa1ea0f6e029348909b40fa48b721bc1fa49f7f51
617301672d1f4c05a41450aaf0ba7070c18ea35ebdcf83949501b8ce85549d8a
7248aa88cf8170caec0e3d9df91d7c1020506958df860766b26f20b76d2397e2
f19e361d171f85d8325fd4138c5d14ea750ea66f3b07536da50bbd54ad398ba9
bc27452e96a5ab9a9e8c4991b965584df78d87e11b0d426402d5e2d529ab96b1
bc239c97e7f12aebe5b2eac70cf54092236362693551d6970c2d9b38848f0470
00985e9c78569c673b2c2e4c1c479d849d6e1e6e49b32f97455de42239a465ff
d7a60260c59aeb81a66638edc64c0027d3b13ce8ee860a3dad1a9101e7d83d29
7c0f1076818b375e6f1408047c9aa918f31915217a321b824b7467cdb7981053
9b1baa3ef62b74ef1bd2851698c436df2e7611321b273a23091dad2718553428
761d366394d8a814fa84830a442233e6b8bb31c09691589f64378ec4f4fd9d9e
468c3dabe7cef98ec4cc70ee5eb3cabc44c77b838617f3ce8cbd525f045fe74e
71d0945e4d60902c1215705836d51bac78b7ff80b01ed2fc9d919b82862c1068
f232654d1d262109fb6dee355610ff0083e8b957cbbbc529d2308d9a4f03833e
726225621e822e35ede3202cfd09ab2f1e15da96ef2555468828530f18b9d1d2
fb510aeb78ac861e75a3d79ee2926d44121eaac29bdfac8878f2cd3cd4c2553a
2b83cdcd64c67d5120f8437964da866b0c0a9456eb45471bbe35242d3c858a0a
26d5ce886422babf3a4020e84361813d0b1fcb5a5e1ca391bfab7873f7394952
e3efcf9237ae7e4ee179e854857b1e46d3b96be59e5b04f1e5a71e8af1baae10
4763b755f8b0579e6ada5d049146a9a20608285e59ef9979853c3b77a5f77030
7647537af5b614828136af7fae77affcfae957f4ba3263e43f8e79c5ec1071dd
e67ce2f27ec2d2a4814f4af2a14ccdf6340b1a06936a67d1a23b854343a6230a
849d9eb268923311204b41d4eb925f991a514cb5a7cad0501a13e2a273f9b681
3734d2063053d533ef00fd60d153b01ed22a6f4e646fb4a9c522e3287f2d0a57
8c1b689b3805065141879f5f4489134cdaba5b1d249eea568a00d766c4a4b616
dfa34a9fd817fd51a614eacb4f4b7004dcb1fa994d3a290e5a2c5f76947f7eba
6f1132a6f7b6a11e7fb530f2239080a458c8e48c8553ec65a7c7a508bc735c50
a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620
67dae3aeae58de83d82be1c9c0977b0e09f2e7bb3c1fdb0ea9f39e6b88d03765
86395cd8929690988706bf1d8347814707b25826947cb80d5f517b1211a525f8
f63234f1fae06adbcffe42edab107da066e2e263b2359028bdcaf6f544de5205
36bf4d35f07c97dfc03f2e36b98d6f6428667d7880e1e9b29322f9158b30e23f
06d066931865847a0571d3f3c86e84e6d32c6741400060149e4448ea5ebc338a
a9d8b0c4864b446bec6aa42fb89a53f3df431abf36e678dda594d07a30aae3f2
122e6d27275a27710f4aeb7c1ba14cd94d68b42e7a124d07af5525a73e8fb97b
799df5470febd5c98a70f4df5add1e01462600032c6b126daa1665ea95af4f0e
d66061e11f941e77c914ce427585d7fbd6a58687c00449b533a6439b15076d75
c141c66a1a9e1f5ad33cce2f2a3ce7c881ffefe8bfb0d16668a14fdfa4430559
43af5bce1d2f2521c8eeb8133e0fa90e4ee9241e6d5cc8b8e6560052037f5427
3bb55ed5b558ac6cc7b2319c23f1ff5381fb548dcbf54f3e362b536330fe588f
af6c2868692f3b47367b480e916f04170ad59a222857e1ae52c1083764446b03
5a5d66f78d2a7aca898fc4598017e6fd8c17f3b4d71a6c4f1e549bff9a913c5f
e38753bedffcfa158db456c4476cf4544880d3530a5dbeb357205403ce25fa0d
d6900e7caed905089a37a2932cfc2e3525e6dc67c4be33bcac30fa4576df6ef2
SH256 hash:
008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88
MD5 hash:
2756f92ad3e37d7db6e1000d7e177411
SHA1 hash:
1cb0ee4fce6a290d1c366dc799f06fed801da9e3
Link:
https://www.unpac.me/results/f1ad430d-da61-4747-ab99-4d1337e359c7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/008a61bb88d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/008a61bb88d22791b3aa7a3e92bcf63944bc3843e9af9ebfa4733baacce72a88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/324110/
  
URLhaus
https://urlhaus.abuse.ch/url/2378332/

Comments