MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b8162447789a7a0fd4440e491074cb8b02d58e319e1b0d398b26927855fc2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments 1

SHA256 hash:	22b8162447789a7a0fd4440e491074cb8b02d58e319e1b0d398b26927855fc2e
SHA3-384 hash:	2dd44b249c6c8bea9f56cf0e939e25615ad2443a2b544ecd40a4c1367182feaaa1833dabb07071f01b3b0e4688445457
SHA1 hash:	f7d90da3db8b1dbc2c68bb4f38e9fc5365f4cc88
MD5 hash:	22c04ec49de717fd81bcc3ebbaec1e56
humanhash:	lemon-lemon-johnny-wolfram
File name:	22c04ec49de717fd81bcc3ebbaec1e56
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	562'480 bytes
First seen:	2022-03-03 12:13:00 UTC
Last seen:	2022-03-21 06:52:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	12288:MXf5wzzOYpmwRyQS03ULaHNqrxlKIQNoKEqolY3NVzrEei9:MXf51YkKykEaHNYK3d7oy3NVzLi9
Threatray	4'928 similar samples on MalwareBazaar
TLSH	T141C423EB5784340CCA875BB02AEEAE578BA0B3747DC1D0F3B62C869767454D296240FD
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246967/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/709ec564-3f8d-4d6d-92f7-d93468dc5a14

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949954

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22b8162447789a7a0fd4440e491074cb8b02d58e319e1b0d398b26927855fc2e/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-21 06:01:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ek4bmjchpcnhud6uiqheseduzofqfvmoggpbwdjzrmtje6cv7qxa._file

Verdict:

malicious

RedLineStealer

0caba418b4b1ec32a00cdd52e3f6f28b7e8de0ffec030cfd8ae661538619b72b

RedLineStealer

24fe35fea083b89f0cc62ef8b9df0de29395be57b0ee1b160229d667785b6bf0

RedLineStealer

29e2eb857dc6f1b5c2ce97acdad6c3957cbb8dc61b3a5dcaa81e9e925bc006a5

RedLineStealer

c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5

RedLineStealer

f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2

RedLineStealer

+ 4'918 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220303-pdq5jachaj/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

def2bc08538c7e3e601d4f28931bb3a3bc2935ab39338b9ec4bcd55f9fb99982

MD5 hash:

eb058fca716004823777f171b4cf14eb

SHA1 hash:

04de1c80d267c578b9b2a12412a1d729fb7500fd

Link:

https://www.unpac.me/results/51b73a6e-4b2c-4f4f-b9fe-c61780427cf5/

SH256 hash:

68f8d00de1993e42d020e6a4fadbe873a8de754c486cadbbdf659d9fd481dd83

MD5 hash:

7b54a27745d525954ec6836b0426f62a

SHA1 hash:

a299cb87e2e829df173e72a7c0936b9d3d79c857

Link:

https://www.unpac.me/results/51b73a6e-4b2c-4f4f-b9fe-c61780427cf5/

SH256 hash:

22b8162447789a7a0fd4440e491074cb8b02d58e319e1b0d398b26927855fc2e

MD5 hash:

22c04ec49de717fd81bcc3ebbaec1e56

SHA1 hash:

f7d90da3db8b1dbc2c68bb4f38e9fc5365f4cc88

Link:

https://www.unpac.me/results/51b73a6e-4b2c-4f4f-b9fe-c61780427cf5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/22b8162447789a7a0fd4440e491074cb8b02d58e319e1b0d398b26927855fc2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/