MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc2ab881aec5908ca3db641dbc617f1e1791681b51eac32c49cd6d35c8e8d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bc2ab881aec5908ca3db641dbc617f1e1791681b51eac32c49cd6d35c8e8d1b
SHA3-384 hash: 8ea1e3e0a00d89bbc15dcafa440fe847f50a24f8c0fdad529a4c4a287d6553e2b9c511c2a5be01e87f83d79c997c18e1
SHA1 hash: 237ffab192e6493cc69219fd6c236c0e6d26e8c8
MD5 hash: d2bef83ee144157b24451f1bcc339e31
humanhash: fourteen-xray-edward-bluebird
File name:kiddions mode.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'812'672 bytes
First seen:2022-12-13 15:39:21 UTC
Last seen:2022-12-13 17:35:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:zQ8O+VSLWDqmRvEGbQ/iLVioIICvAdRGK6Uek1yOM7ycKgmtXyGM+k2OIGExTg+C:Uf+VSSFtbQqLmICk
Threatray 1'818 similar samples on MalwareBazaar
TLSH T164662A9D729075EED86FC231A9E42C34EF50B8AB170F5197C42351B99A0D8D7CF982B2
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8e2eae6e292c2ee (14 x ArkeiStealer, 10 x RedLineStealer, 3 x Vidar)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
kiddions mode.exe
Verdict:
Malicious activity
Analysis date:
2022-12-13 15:40:48 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6932aded-8b10-44b1-9835-bcc69a416286

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345871/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22745.24665.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63989cd4485d8463dc416052/reports/36ae9f90-6867-4818-b68a-30c1154cd6ea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b25faf2-a4ae-4c13-bf99-7ba2c873a005
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133517
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bc2ab881aec5908ca3db641dbc617f1e1791681b51eac32c49cd6d35c8e8d1b/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 15:40:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
7216
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpbkxca25rmqrsr5wza5xrqx6hqxsfubwupkymwettlngxeorunq._file
Verdict:
malicious
Similar samples:
38a4aa886e31b053da14946bda69bffcdbc9278c95d943d5f8b16bdf5a3e3915
RedLineStealer
4743bad8f6939aa7645a043208010c2a9e75fbbcbbc8ca597a0c2a74ce7b6cc0
RedLineStealer
47882cbac974961e1e003b60646d60f2c0316acf405c40707dc2abbdcbcb8805
RedLineStealer
80a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
RedLineStealer
861f39b007a3c38bf137306562446c9022e6a2cfd308f90549d771914d737aae
RedLineStealer
93b9594a5c1a1ce50c398fad864b8828ec51f4ffdeed2538566e695bccf281a8
RedLineStealer
a3679e6c9bffd5313696c15aea5074be0aa0533ee1b6419ec06969a720be6951
RedLineStealer
a45e5648dac23fbc36adb63fcb33b81178594403f276aa3a1195b91fc29aae5c
RedLineStealer
eab60fc0c63f6c16a71da430281aac89914608f749f7be741274dd3493d8d1e8
RedLineStealer
fb65db138ed870c36bc6ef04c5d13b7e6789dc5d002cbcfa2111341fb4d20b13
RedLineStealer
+ 1'808 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@s1ker777 infostealer spyware
Link:
https://tria.ge/reports/221213-s364tsfa42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
176.113.115.7:2883
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79d1b394-bb84-4039-90c9-f9dc0dd159dc
Unpacked files
SH256 hash:
47a3c30ef1b1e527796f6c63fe2a4866e295ef4602d2aea44812c63b2ba52b55
MD5 hash:
e8e2a24c23ea9cdb76516396ab994d5e
SHA1 hash:
3a2409bb9559231a7cbbab93aa0f541976d4f956
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ae9ea664-84fd-47e7-b2ed-e9dd71fa9097/
SH256 hash:
2953083c71d71429dbe672e6df17ed8c681ca31ff58f863a208a849b5f202777
MD5 hash:
8dc3d840d1d083447d06c8d49de88339
SHA1 hash:
2a3e3933bd8e441dbb58265a2704ff45b62df4ce
Link:
https://www.unpac.me/results/ae9ea664-84fd-47e7-b2ed-e9dd71fa9097/
SH256 hash:
0bc2ab881aec5908ca3db641dbc617f1e1791681b51eac32c49cd6d35c8e8d1b
MD5 hash:
d2bef83ee144157b24451f1bcc339e31
SHA1 hash:
237ffab192e6493cc69219fd6c236c0e6d26e8c8
Link:
https://www.unpac.me/results/ae9ea664-84fd-47e7-b2ed-e9dd71fa9097/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bc2ab881aec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/0bc2ab881aec5908ca3db641dbc617f1e1791681b51eac32c49cd6d35c8e8d1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345871/

Comments