MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA File information Comments

SHA256 hash:	0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f
SHA3-384 hash:	ee03af5797a0b95805974b30323e8d3483345491372ffc49927ed46b6a81ab8ca50b05378c7b7e943c664f63272b1873
SHA1 hash:	fa9eb4595aece019a9dec73e95e6f867d89d0cdc
MD5 hash:	3850df50c32911b44b570db96c868992
humanhash:	delaware-comet-mango-oscar
File name:	3850df50c32911b44b570db96c868992.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'746'653 bytes
First seen:	2022-10-23 14:06:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep	24576:L0M+ISzFGgA9K2YNYlYG2X7M87CAxdm/EZ+B+MhDuRz1XyFLy66W/hBxLTGi79hn:L0MxyFGgEiPMhSJ1Xey6T/hBxOIYl3g
TLSH	T142D51A135A8B4D75CDD237B4A1CBA33AA734FE30CA3A8B7BB608C53559532D46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
79.137.192.20:7466

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.137.192.20:7466	https://threatfox.abuse.ch/ioc/915897/

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

3850df50c32911b44b570db96c868992.exe

Verdict:

Malicious activity

Analysis date:

2022-10-23 14:09:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6393a72b-7c1c-4a69-9daa-2d4aecec118a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322974/

Detection(s):

Win.Trojan.Fragtor-9975356-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/44707/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/63554a86898b0652a4b975bb/reports/b9225592-3040-46cb-bf45-0f809616f589/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a50d28e-977f-4862-9b4d-abeeb2190823

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1095900

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-20 15:56:00 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bmemzomstdr25hm6uoja3r5fo2paytdtyqekkrw5ymtcyhtgvnxq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@stake_lzt infostealer spyware

Link:

https://tria.ge/reports/221023-reyxwaagdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

Malware Config

C2 Extraction:

79.137.192.20:7466

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/61724073-b03d-46cd-a9cd-e022b905cba5

Unpacked files

SH256 hash:

0599b43a40f674550cc5eeb4d6a2b06408ea57502ec0ffa38c84f9623d7783e9

MD5 hash:

af316ff981472e43c35b15ec53426e91

SHA1 hash:

bf589f76f240966996bec7743b3c2a22383b8fe9

Detections:

redline

Link:

https://www.unpac.me/results/1a32ee32-bae0-4706-993e-3b782c84c3f6/

SH256 hash:

0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f

MD5 hash:

3850df50c32911b44b570db96c868992

SHA1 hash:

fa9eb4595aece019a9dec73e95e6f867d89d0cdc

Link:

https://www.unpac.me/results/1a32ee32-bae0-4706-993e-3b782c84c3f6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/322974/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample