MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98
SHA3-384 hash: 4a8afedc9d70caa7b8768440308451036908983d4e88da1521fc815517f005adf2a258c7854b45566e39b42f9814addc
SHA1 hash: a9284038d4261f7c4ae5a16851216cfd01c7b8c2
MD5 hash: 70af2782a658f04e84341f18e09207ae
humanhash: artist-oklahoma-uncle-pluto
File name:70af2782a658f04e84341f18e09207ae.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'264'128 bytes
First seen:2021-11-07 14:21:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:/b1znt1E171toVuGFeOkxiCgFTAdBZXWCWCjqHs9NnnIz4:TRntWFOjeTxTgF87Z7WCjes9tR
Threatray 2'342 similar samples on MalwareBazaar
TLSH T1024523ED4AB1D18BE3BB067920DFE3A0B4637B20615525474EFDE8162A20FD0529B70F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
129.146.127.215:39241

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
129.146.127.215:39241 https://threatfox.abuse.ch/ioc/244868/
62.113.112.212:11375 https://threatfox.abuse.ch/ioc/244869/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203033/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6187e10c43a4f74809124c11/reports/e245e536-8a13-46ca-ba09-27ecf3646008/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/762dd32d-3ed6-48dd-89d2-3a3bef5b6cff
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884791
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517249 Sample: 3qSjPmgRaH.exe Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 79 62.113.112.212, 11375, 49787, 49788 VDSINA-ASRU Russian Federation 2->79 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 Sigma detected: Powershell adding suspicious path to exclusion list 2->87 89 10 other signatures 2->89 9 3qSjPmgRaH.exe 4 2->9         started        13 deforcing.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 63 C:\Users\user\AppData\Local\Temp\123.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\...\3qSjPmgRaH.exe.log, ASCII 9->65 dropped 67 C:\Users\user\...\OlecranonsCasein.exe, PE32 9->67 dropped 99 Detected unpacking (overwrites its own PE header) 9->99 20 123.exe 9 13 9->20         started        24 OlecranonsCasein.exe 3 9->24         started        69 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->69 dropped 71 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->71 dropped 101 Injects a PE file into a foreign processes 13->101 81 127.0.0.1 unknown unknown 15->81 26 WerFault.exe 18->26         started        file6 signatures7 process8 file9 55 C:\Windows\Resources\Themes\...\svchost.exe, PE32 20->55 dropped 57 C:\Users\user\AppData\...\deforcing.exe, PE32 20->57 dropped 59 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 20->59 dropped 61 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 20->61 dropped 91 Multi AV Scanner detection for dropped file 20->91 93 Drops PE files to the startup folder 20->93 95 Creates an autostart registry key pointing to binary in C:\Windows 20->95 97 5 other signatures 20->97 28 deforcing.exe 20->28         started        32 AdvancedRun.exe 1 20->32         started        35 AdvancedRun.exe 1 20->35         started        39 9 other processes 20->39 37 OlecranonsCasein.exe 24->37         started        signatures10 process11 dnsIp12 73 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 28->73 dropped 75 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 28->75 dropped 103 Injects a PE file into a foreign processes 28->103 77 192.168.2.1 unknown unknown 32->77 41 AdvancedRun.exe 32->41         started        43 AdvancedRun.exe 35->43         started        45 WerFault.exe 37->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        51 conhost.exe 39->51         started        53 6 other processes 39->53 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-11-07 14:22:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=boht4tts5ycgn7c5ifngfm7zggehtmrroalz632ao4w2sgy5tsma._file
Verdict:
malicious
Similar samples:
a855f110470f35fa83d40ffa1eb3748a0c2fc4cf11bdb4bb01e171c031097bf1
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
RedLineStealer
f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
RedLineStealer
f8106931b484cc61bd73a4aed15d2b940282316283ebba4f03de924b97468b25
RedLineStealer
fd50e5ce3b80417115401a4cc61ba7efd5c4d6f13d9166c26cc456b111d39fbb
RedLineStealer
+ 2'332 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:spreading max evasion infostealer trojan
Link:
https://tria.ge/reports/211107-rpkg8sada5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
129.146.127.215:39241
62.113.112.212:11375
Unpacked files
SH256 hash:
22aa185081b7a1efda45168fdc6e48107acc6329a94e5e8f4a56f72165f84fdf
MD5 hash:
25e4e6e5646172613b1cdf6b6c659d35
SHA1 hash:
54477d387adfae66e6e35a7d43a370e22656c3f4
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
9c2820d9d36454b48ebcb0efb4e606480b07c5bdb64d2f241b2a4d0017e76ff8
MD5 hash:
42794a2f6683df7b15a00935fe0bd639
SHA1 hash:
f5aedfde80b4a77edd5f55856061af73034cabf9
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
cdef3e9587d2367a8bce631d334e5de58aa8ed5e6a8746e0b34ab08352683e84
MD5 hash:
3a9a46471643e178b247793122e9d038
SHA1 hash:
fd912dbd922e4362920a312121543146c492fd64
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
653455b0eab72d2f72262c6f6b4d09cdcade4b29b24c0fd4725db413b42a7323
MD5 hash:
095be4ddde6976535e1b8eb624c8efbf
SHA1 hash:
e16128635db6dfd3a2cf5cf2475fa3cf542aa93b
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
43efc129c78f8dad07a4fb095364b642a86bf76af2dff2bf0d1d7927a9d41c79
MD5 hash:
aec46c543e6335473df7b6ea761acf11
SHA1 hash:
334b50c26c326da70c458364aeeb663f3d764c94
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
fd43b492b6e9990901d234a9497e6f0b44b4bec4a37d3620a895740665803679
MD5 hash:
9043039824d34a79ce01f21f411c9598
SHA1 hash:
fbb65849cdfcfd0bdf4e08ba55b4ff235043cb71
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
SH256 hash:
0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98
MD5 hash:
70af2782a658f04e84341f18e09207ae
SHA1 hash:
a9284038d4261f7c4ae5a16851216cfd01c7b8c2
Link:
https://www.unpac.me/results/bf02b2d3-4127-4f68-b1e1-1f01f9af291f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0b8f3e4e72ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1761064/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203033/

Comments