MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
SHA3-384 hash: 33777c7b394189dc40f33cd2e7d294da1053d78451618b62288d21adc4421cce564f85f31a17f5351d29e33ed9d44191
SHA1 hash: 2d8a25ea7ad5f54bf22f5a4121ae672d4b53bace
MD5 hash: 5b6c9bdb605a9ef8685e08998b24368b
humanhash: wolfram-edward-delaware-skylark
File name:01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b98.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:457'728 bytes
First seen:2021-09-29 03:26:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:IbjDhu9TMsp4asV+MfbX50+TTZAcTKuS0+KW3j:21eTMsKBf1VTYKW3j
Threatray 66 similar samples on MalwareBazaar
TLSH T148A4F06772E40195DBB142FAC8A1034AE77034361B55A3CB5B6863B32B2F4DA9F3D391
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
80.87.192.137:27018

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.87.192.137:27018 https://threatfox.abuse.ch/ioc/227545/

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9.exe
Verdict:
Malicious activity
Analysis date:
2021-09-29 03:26:13 UTC
Tags:
trojan evasion phishing opendir loader stealer vidar rat redline
Link:
https://app.any.run/tasks/2474f6df-9754-4dfa-a8ad-59e9cc2c659e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192761/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Stealing user critical data
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a618b57f-1773-4991-99c4-01633b9a0f50
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/860504
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492932 Sample: 01b03e3685fc9fa6d7c59ddf164... Startdate: 29/09/2021 Architecture: WINDOWS Score: 60 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected BatToExe compiled binary 2->30 7 01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b98.exe 9 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->22 dropped 10 cmd.exe 3 7->10         started        process5 process6 12 extd.exe 2 10->12         started        16 extd.exe 2 10->16         started        18 conhost.exe 10->18         started        20 extd.exe 1 10->20         started        dnsIp7 24 cdn.discordapp.com 162.159.133.233, 443, 49728 CLOUDFLARENETUS United States 12->24 32 Multi AV Scanner detection for dropped file 12->32 26 162.159.130.233, 443, 49737 CLOUDFLARENETUS United States 16->26 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 03:27:15 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agyd4nuf7sp2nv6ftxprmrl4ixbh46glbg4yadqgrgrdtcoa2bdq._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
RedLineStealer
aa46ec291334b68e6c96fed8f2b88ce521dd87ff7535a5465537e7d2c36d1539
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 56 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/210929-dzr36sddg5/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
80.87.192.137:27018
Unpacked files
SH256 hash:
01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
MD5 hash:
5b6c9bdb605a9ef8685e08998b24368b
SHA1 hash:
2d8a25ea7ad5f54bf22f5a4121ae672d4b53bace
Link:
https://www.unpac.me/results/411a8949-4549-4378-abfd-4ea01250ba02/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/01b03e3685fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192761/

Comments