MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f
SHA3-384 hash: bddaedcee95c19d1991532b24f4e1f57c106d54ed9a740329a3d57dfb349ef33f2b375814c8e3b232c2f31a106332d23
SHA1 hash: 40beafe1faeed760d50a46c46d402f85852551b6
MD5 hash: a99f5c3c299b6e42370d19a8d84269cd
humanhash: december-violet-west-spaghetti
File name:a99f5c3c299b6e42370d19a8d84269cd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:884'544 bytes
First seen:2022-01-07 11:18:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e98c551275977bc4d7eb6f5ee2b3bea2 (1 x AgentTesla, 1 x RedLineStealer)
ssdeep 12288:DFDE4sBrtllut4C4zZRTZRfKnHZJS2V3xtZx/+xXxhJwVR/ov11kBFwByFHvd:DFDElBhQF4fTZRSHrjVjZx/uLX11cp
Threatray 1'507 similar samples on MalwareBazaar
TLSH T16A152204F38A9B07CA50837950AADBB6637AEC064B83C3537AE9DD277F532ED5E94005
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.182.159.86:65531 https://threatfox.abuse.ch/ioc/291591/

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a99f5c3c299b6e42370d19a8d84269cd
Verdict:
Malicious activity
Analysis date:
2022-01-07 11:20:17 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/35a30e30-367a-4646-9cc5-e2e27ee89814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217702/
Detection(s):
SecuriteInfo.com.Variant.Jaik.50027.13636.17291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending an HTTP GET request
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-debug exploit overlay packed redline
Link:
https://www.filescan.io/uploads/61d821ab02e388f9fdb2c1fd/reports/ec335354-78cd-4aba-b53c-738808513fb6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b373c3b-58c6-44f3-bcaf-70223f79e33b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916796
Signature
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f/
Threat name:
Win32.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 12:12:35 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chyur2miaewnidxp3yhgap6dijr6xi5ilueaoi5xtf7aqfayvmxq._file
Verdict:
malicious
Similar samples:
09a996ac5f7ab1a72f0ae488b92997555ef0e89afb8a534b1f608b6e25f40ae1
RedLineStealer
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
RedLineStealer
35d04737f87fbd1cb97d05dda7d795b419ddc767131034a0d00193b8f68f3330
RedLineStealer
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
RedLineStealer
5e5ba3f528a0725d55becd3493cb94486e9c27537d7b6f3a1b0edc78dc4baec8
RedLineStealer
767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
RedLineStealer
aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06
RedLineStealer
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
RedLineStealer
bdec451319f1a86616ff05a77bbce9272dbfe1c3900e9d8c94c7fec1aabcbdf2
RedLineStealer
+ 1'497 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220107-nevzfacbe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
83f5efbad0e36acb44cad37899baab012ff77f525477710cc4f099c93e443908
MD5 hash:
53122e347c5cb5951cb0c482cba047ee
SHA1 hash:
451ab3154f4e5a0eacfd799f055c810b876b8ac7
Link:
https://www.unpac.me/results/d23b988e-be5a-4805-bc8d-17bdc3011942/
SH256 hash:
a3bca8ddb95ee74770192fd1083d11998e3b1bcdd3efde92ca076814b1c462d0
MD5 hash:
07d132c582dab10112627a521300dda9
SHA1 hash:
3fb7363c9d96d69a72c35cda1623c156b5583ee4
Link:
https://www.unpac.me/results/d23b988e-be5a-4805-bc8d-17bdc3011942/
SH256 hash:
25165b9d69d32ad0db2a8682c6fa036aa35795c9b22c18ef696a9a57c2d99fb8
MD5 hash:
62c9601184bb92557c6c129f766bffdb
SHA1 hash:
eb791176b769a8121f7779e0ccbb7365316de76c
Link:
https://www.unpac.me/results/d23b988e-be5a-4805-bc8d-17bdc3011942/
SH256 hash:
11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f
MD5 hash:
a99f5c3c299b6e42370d19a8d84269cd
SHA1 hash:
40beafe1faeed760d50a46c46d402f85852551b6
Link:
https://www.unpac.me/results/d23b988e-be5a-4805-bc8d-17bdc3011942/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/11f148e98801/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 11f148e988012cd40eefde0e603fc34263eba3a85d080723b7997e081418ab2f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1955139/
Cape
Cape
https://www.capesandbox.com/analysis/217702/

Comments


Avatar
zbet commented on 2022-01-07 11:18:51 UTC

url : hxxp://181.214.152.249/blog/posts/383.exe