MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b
SHA3-384 hash:	be1387c92417897ca29cd708bb6da885bdd510ccd521766ca21db06c994d81fa585299b3dfaa3ca8fc16e8c438243c84
SHA1 hash:	393bf6a2f0c6f6826ebba98ce6a4483b80ba16ea
MD5 hash:	0c6581c92d964a774e3d890a8a2bca08
humanhash:	stairway-berlin-zebra-massachusetts
File name:	GI_HackV2.1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	208'800 bytes
First seen:	2021-10-24 15:00:41 UTC
Last seen:	2021-10-24 16:21:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:wXpIOpUkbtFV6ddP8mWCfdN562jQqt176pn3RbO97u7etAV9P:eafwtXoP8mWCbZQQ176p3pOQaAr
Threatray	2'301 similar samples on MalwareBazaar
TLSH	T18E1490832E59FB19E0813E3782CF4A1507AB2DC64A76A9C32F4EEE5105152067D3B77E
Reporter	tech_skeech
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.252.9.247:37711	https://threatfox.abuse.ch/ioc/236963/

Intelligence

File Origin

# of uploads :

# of downloads :

434

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GI_HackV2.1.exe

Verdict:

Malicious activity

Analysis date:

2021-10-24 14:58:52 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e0e19895-c171-4143-a324-d96d1319741a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/199662/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.4403.24057.6352.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Forced shutdown of a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/54035c9b-c909-4695-9470-c6f3db999582

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/875819

Signature

Allocates memory in foreign processes

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-10-24 15:01:05 UTC

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cbz7jvmaqsqtigwlyd6tuoyx5ytzj4ll6yvtwml3eel7fdaszrvq._file

Verdict:

malicious

RedLineStealer

73d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1

RedLineStealer

8867a5229762e4b01828f7295c0821f4acd8545acb7fc648b05b87da54754120

RedLineStealer

a7ee4b81780bf55a3da4a984a35563b20441f5b0a618771882ae1e4000b4d941

RedLineStealer

e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43

RedLineStealer

+ 2'291 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211024-sdwa2afchp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

37.252.9.247:37711

Unpacked files

SH256 hash:

b3f4bdb98fd49fa5892b241ae93e35601d7f42add09eb03bba696e31b79bda96

MD5 hash:

753cb9327ecdd0055dd0464e45da4904

SHA1 hash:

8bd9050c82ab11795393175a737d2b0b4f46be1a

Link:

https://www.unpac.me/results/8c682efe-cb7f-4344-850d-f9efba95160d/

SH256 hash:

1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b

MD5 hash:

0c6581c92d964a774e3d890a8a2bca08

SHA1 hash:

393bf6a2f0c6f6826ebba98ce6a4483b80ba16ea

Link:

https://www.unpac.me/results/8c682efe-cb7f-4344-850d-f9efba95160d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1073f4d58084/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 1073f4d58084a1341acbc0fd3a3b17ee2794f16bf62b3b317b2117f28c12cc6b

(this sample)

any.run

https://app.any.run/tasks/e0e19895-c171-4143-a324-d96d1319741a

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/199662/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample