MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba
SHA3-384 hash: 16456f2a571631923f293936733294e9def4c461cac267375a7fdfb2387264a1e284b7e4b7e0c446b9d7a4e579b11020
SHA1 hash: 66ba94b0cc06e8757d84e51c62e01f618bcb1962
MD5 hash: 4344da0b0998b9c75505db1460efca2b
humanhash: violet-skylark-july-blue
File name:4344da0b0998b9c75505db1460efca2b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'264 bytes
First seen:2021-10-11 05:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:25oaqjp/9TgxISo7CG0bPmS72moHkJHBDsP9:25v4DTgxiCG0b+S6vHsOP9
Threatray 79 similar samples on MalwareBazaar
TLSH T133A4F056B1E01199DBB480FAC9520706EB30797A1B14B3DB177416B71B1F8CA9F3D3A4
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4344da0b0998b9c75505db1460efca2b
Verdict:
No threats detected
Analysis date:
2021-10-11 06:24:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ba6486c-77e3-4dd8-ba8a-a804daee0b69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196441/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6163d0161c2d58ba74012dad/reports/e6ed73e3-42d1-4b79-893c-6459e596b98e/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/868245
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500672 Sample: h0n986huQ5 Startdate: 12/10/2021 Architecture: WINDOWS Score: 45 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected BatToExe compiled binary 2->32 7 h0n986huQ5.exe 9 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->24 dropped 10 cmd.exe 1 3 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 extd.exe 1 10->14         started        17 extd.exe 2 10->17         started        20 extd.exe 2 10->20         started        22 extd.exe 1 10->22         started        dnsIp7 34 Multi AV Scanner detection for dropped file 14->34 26 162.159.133.233, 443, 49761 CLOUDFLARENETUS United States 17->26 28 cdn.discordapp.com 162.159.130.233, 443, 49753 CLOUDFLARENETUS United States 20->28 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 05:48:06 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
RedLineStealer
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
RedLineStealer
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
RedLineStealer
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
+ 69 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/211011-ghfklagdd9/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1665203/
Cape
Cape
https://www.capesandbox.com/analysis/196441/

Comments


Avatar
zbet commented on 2021-10-11 05:47:24 UTC

url : hxxp://103.159.133.159/store/items/98.exe