MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12582b160e541b8c0210bb54dd0a40bea2452c9a67bed39bf12578938119ebd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12582b160e541b8c0210bb54dd0a40bea2452c9a67bed39bf12578938119ebd9
SHA3-384 hash: 4796a5ee3e6946c7078a3ed9364115322687823221f9139aa3fdd97a54d3fb857dda0b25687356e6edb93cea5cb4c1c0
SHA1 hash: 936049bbe96cc058c42f156d21001e7a61e03741
MD5 hash: c786df97b15db547398e9c22b8f19284
humanhash: robert-steak-saturn-muppet
File name:Infomartion.bat
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:113'425 bytes
First seen:2022-12-28 08:42:13 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 3072:nbNqk03OTfUv/+K/CZ3apsLInrvNxetULHtxfwDXU:bNXULq3a+InrvNxeknOE
Threatray 3'284 similar samples on MalwareBazaar
TLSH T104B3120DCF3E6E19BA4D833829DA94D5443A4A0E5D98E8F2F3F3386436CD259734A5E4
Reporter 0xToxin
Tags:bat RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Infomartion.bat
Verdict:
Malicious activity
Analysis date:
2022-12-28 08:45:27 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f0596bf0-8641-43b5-ac2c-ea48aefba2db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Other.Malware-gen.15174.15497.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/63ac01980e926711fd7533d1/reports/7a39d765-282f-4cb2-8324-c4e2fa48ca62/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1142000
Signature
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12582b160e541b8c0210bb54dd0a40bea2452c9a67bed39bf12578938119ebd9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-27 15:35:14 UTC
File Type:
Text (Batch)
AV detection:
1 of 39 (2.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjmcwfqokqnyyaqqxnkn2csax2rekle2m67nhg7rev4jhaiz5pmq._file
Verdict:
malicious
Similar samples:
04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578
RedLineStealer
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
RedLineStealer
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
RedLineStealer
3b76cb3ab031658b762892f0d4145498eee84da51d451c67c1ca642afd79add1
RedLineStealer
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
RedLineStealer
d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c
RedLineStealer
e0821c032569fd1820f3399609b27f448db1b9d34043593661ea6000bbcdf0eb
RedLineStealer
f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
RedLineStealer
+ 3'274 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/221228-kmkxnahg85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12582b160e541b8c0210bb54dd0a40bea2452c9a67bed39bf12578938119ebd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments