MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SHA3-384 hash:	e746dd43be0362bb49a61cb541cf5ec9ba3b34f3b482b8d619b65f5f618cb9dfa03cda0a511004961f00d556beb5471e
SHA1 hash:	9e393c6f760a3a69bb7852a144e5abd68b2215b7
MD5 hash:	28869b1167c5f816e2923a2d3133dcf7
humanhash:	carolina-idaho-queen-idaho
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	433'664 bytes
First seen:	2023-10-18 09:18:56 UTC
Last seen:	2023-10-19 01:18:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4f0cdfd3e1be2bc790b5aa9061b7d52c (7 x RedLineStealer, 5 x Smoke Loader, 4 x LummaStealer)
ssdeep	6144:xqrm6g5xShvihb5oVIlCMInrAOA2UPu4TTj05JmC83X24SCD+waljy:xAw3SBibAVOaov05JmC83X24Sm+w8jy
Threatray	1'560 similar samples on MalwareBazaar
TLSH	T18F94381330824131D3E092F659E68F751B26F438DB62A94F131A1DBFA6F726296377C8
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-18 13:29:24 UTC

Tags:

opendir loader payload privateloader evasion stealer arkei vidar risepro redline stealc amadey lumma sinkhole ransomware stop vodkagats trojan botnet smoke

Link:

https://app.any.run/tasks/d52cdace-cf3e-4077-8e92-b806c3e4f530

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455633/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.189373.9172.9529.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

No Threat

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/652fa30710dbe5fb92cd7b9a/reports/6108192a-0909-4b88-9fba-528027001cac/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc260bd1-bc31-4fe6-a9ea-137dfec850d5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327901

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-10-18 09:19:05 UTC

File Type:

PE (Exe)

AV detection:

23 of 24 (95.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bbrozkazk6i5bcalwld3sce7xf27umfzkz6bldydu4h4q2mr64gq._file

Verdict:

malicious

RedLineStealer

0d2075b728700bacfa79dc4138df8e89a8d3a67221f612d2997968598b6285b3

RedLineStealer

2e2208d8929729766d184b02f6030a0b77fb560c1bfbb69e2c56479623083675

RedLineStealer

6d2ec231112b3cfc9f4b22c0d21866be80d39c68ddc0358bdad12284e4783ea2

RedLineStealer

9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff

RedLineStealer

adad848bf6d7a20eb9faef8413be0071b82fc7b237c867e15e05e7d5600d23ee

RedLineStealer

bbb535e87b6d2fde49c6b143af1a003b5670b422937c9dd0cf5424bd212dfc01

RedLineStealer

da920bb04ee50d8842f01eda3e8eafde082331df010631fc8d0a2c20af911e98

RedLineStealer

e6e34973f51bfecb0dea2825753f1db7414549d9e794bcdf8191b1d8486ffcf9

RedLineStealer

f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3

RedLineStealer

+ 1'550 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build285 infostealer spyware

Link:

https://tria.ge/reports/231018-k96smsda7t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.169.175.232:45451

Unpacked files

SH256 hash:

4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02

MD5 hash:

281cdc7e284b96011624acded1859799

SHA1 hash:

af8e34c4c7708547c8f2d35a13121c7a9d6fcd20

Detections:

redline

Link:

https://www.unpac.me/results/271138b1-94b7-4259-9d06-8dd46a3d9b0d/

Parent samples :

399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

SH256 hash:

0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

MD5 hash:

28869b1167c5f816e2923a2d3133dcf7

SHA1 hash:

9e393c6f760a3a69bb7852a144e5abd68b2215b7

Link:

https://www.unpac.me/results/271138b1-94b7-4259-9d06-8dd46a3d9b0d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0862eca81957/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/455633/

URLhaus

https://urlhaus.abuse.ch/url/2706937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample