MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572
SHA3-384 hash: fb3222910c23d5361a65ff378b00655f1e877e4f48eb871ce8478b3776f3bdcb614c5e3a8ef71b592f4178d7d2ba58c7
SHA1 hash: 264c26aa7f8936774a6b47ed25aa7191b9a2c367
MD5 hash: 9d3a692c500fd8ade7c328bae4d6be52
humanhash: bulldog-blossom-don-burger
File name:9d3a692c500fd8ade7c328bae4d6be52.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'138'848 bytes
First seen:2021-10-14 18:25:14 UTC
Last seen:2021-10-14 18:55:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f054065b5627efa75960a094c4ceb3ad (5 x RedLineStealer)
ssdeep 98304:zcg4xGZXnkD75AhSgY9xaZ6aPYGAYTgTWq37+xQ70h8ysqLg/qvzp2ALwhI:zf4odkD7mMgOa8mYGPyvKxrh8Zmg0seT
Threatray 19 similar samples on MalwareBazaar
TLSH T17956337316A420C8C5E6CD35C93BFDE479F616AE8F4194B8A4A6EEC538229F5D312D03
File icon (PE):PE icon
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://ec2-3-144-150-251.us-east-2.compute.amazonaws.com/?verify-id=47&verify-hash=827bfc458708f0b442009c9c9836f7e4b65557fb&verify-msch=R2xhc3NXaXJlIDIuMy4zNDMgQ3JhY2sgICBBY3RpdmF0aW9uIENvZGUgKExhdGVzdCAyMDIyKSBGcmVlIERvd25sb2Fk&download=1&xtrans=MTUx
Verdict:
Malicious activity
Analysis date:
2021-10-14 16:48:38 UTC
Tags:
trojan evasion rat redline loader stealer opendir vidar raccoon
Link:
https://app.any.run/tasks/818ead3d-42c3-4bcd-86cc-f801d5a86ca9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197608/
Detection(s):
SecuriteInfo.com.Variant.Bulz.817005.26795.23450.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6168763d1c2d58ba7406c8ed/reports/ccc1443f-3cb5-4067-8e7f-4436c6530f68/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58f6db96-a889-4a83-892f-94dfa9759986
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870713
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected VMProtect packer
Injects a PE file into a foreign processes
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 18:26:07 UTC
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6
RedLineStealer
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
RedLineStealer
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
RedLineStealer
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
RedLineStealer
70c64a3f46820c47b44e30d3925165340735c7ce62ad124268820335ecc808be
RedLineStealer
81d14d241a35f52dae782c57784168f5295776984eb55d9f88f9f0cf12e67f72
RedLineStealer
8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2
RedLineStealer
cab81fbf16ca9e47efd63a5ade336d73dcfa12d2efd4a12ec2692a8aa0df9314
RedLineStealer
f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a
RedLineStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/211014-w27kraabb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
VMProtect packed file
Unpacked files
SH256 hash:
781cf7a5542670f20f6bb6de3fe9b6fe2c94f4f902be54fce87d6051ecb21173
MD5 hash:
67cd3088189cf3fdf760239961a0df16
SHA1 hash:
422206d97bdbf9814a755cf0be352b8ac50c9fed
Link:
https://www.unpac.me/results/b73d1ad1-8eab-4195-9110-69d0b7ab222c/
SH256 hash:
70d1658c9d7637afb49a4406611278850e366e45bb0619cf6eda0955c2101c8f
MD5 hash:
3f0ac8f65660b0c241febe096f811f40
SHA1 hash:
455969b21c08e3fa1cf871833d80f0b5387e19c9
Link:
https://www.unpac.me/results/b73d1ad1-8eab-4195-9110-69d0b7ab222c/
SH256 hash:
020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572
MD5 hash:
9d3a692c500fd8ade7c328bae4d6be52
SHA1 hash:
264c26aa7f8936774a6b47ed25aa7191b9a2c367
Link:
https://www.unpac.me/results/b73d1ad1-8eab-4195-9110-69d0b7ab222c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/020110f827d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 020110f827d739393492ebad4dfea2e61792998044bc184843375c5e2cf1c572

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642880/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197608/

Comments