MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
SHA3-384 hash: 73c6ca3ed7ccf4b40484e0b75d71f768566e30d8de65e7a21197424488c7fde2bd1da2aff5095645f369cf9cd2cebcc2
SHA1 hash: 08277d382d8cedc9a56abd6feca7a58f866b6519
MD5 hash: e150f91742838997639edd06a1c44ebc
humanhash: green-snake-kentucky-utah
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'029'120 bytes
First seen:2022-09-08 12:06:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:WU60uXt7oSXjDIfhjJFLLXv2wddwSFa0srUSNb:WUO7lPSRLLXOwoSw5rUqb
Threatray 534 similar samples on MalwareBazaar
TLSH T11025739D712072EFC85BD4729EA92D68FB5034BB835F8217A02715AD9E4D897CF240F2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://www.psicomedodontoclinical.com.br/wp-content/uploads/2022/09/v07090.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
0c4ab27f3d48f5215b4d21f64f1b929c242175e4744fe0b41bf952e7ee01999ce0ee92dfda3ab6dad7610e1b8ae82041a72278c6800adf46d57dea9cdd8bdeb0
Verdict:
Malicious activity
Analysis date:
2022-09-08 12:09:38 UTC
Tags:
trojan sinkhole opendir loader evasion socelars stealer rat redline ransomware stop miner tofsee
Link:
https://app.any.run/tasks/0d5e8208-8864-4444-b94a-a3028d38f063

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308766/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6319db41a90642bcbbef4f43/reports/c48d26c0-0bd8-4255-8167-2a6eb666a2c9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/491f5a9d-02c0-4f9d-8a8c-822d47a460c1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067100
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 12:07:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eph5rsnatbg55xe4s7fz575pdgmlwrarbjgescjeccnc6c533iba._file
Verdict:
malicious
Similar samples:
13f0dc7a12f1bc8d4a79097e51f673358380cc825fbf892f696fc8355c52b838
RedLineStealer
1b00cf03f26724d9e9cff35a8d3d2e42f2518827e9564513b348fc163de153b6
RedLineStealer
1fecd284567ab13f0c92dad3ae05fc2f4f1ad678de8bcceca62991f88990d090
RedLineStealer
2032f4c705391c616308c070f4aa16aed376c18cdc1deb207e8c9048edb0cce8
RedLineStealer
23f376834acabc2c3d683f70e6646b6409fdfad4613ebd3087bf8c20d2b2629f
RedLineStealer
408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f
RedLineStealer
7da2d1a4480abcd09e623396da276219ca59bebbb221a09f465f0f66ecc2a571
RedLineStealer
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
RedLineStealer
ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf
RedLineStealer
+ 524 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:0809_0x00 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220908-paandaeed7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
ns3.livelogs.xyz:81
Unpacked files
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/47fe5a52-feec-4565-85e8-90419c5f20c5/
SH256 hash:
4c128e57a8885582e8279865d77fbfcc6df25be88eb113a670313dd7b9158243
MD5 hash:
dd67ec0a05944b6154847cfffcfe4346
SHA1 hash:
6bcf73e58476071bd5f94cf8f6b488e15c09e82f
Link:
https://www.unpac.me/results/47fe5a52-feec-4565-85e8-90419c5f20c5/
SH256 hash:
df39f04fd30fc83ef622596875a5a58939120f90ac528c559e3af1d5bfa2d980
MD5 hash:
6354f732c4bad23ddb12654ae877d902
SHA1 hash:
41244a217eddca0281262f159a536de0c2f2c70c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/47fe5a52-feec-4565-85e8-90419c5f20c5/
Parent samples :
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
48b7969c0e98ceeaf092239414881993f0a55152956fd59e1da14e2da01ee4fd
SH256 hash:
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
MD5 hash:
e150f91742838997639edd06a1c44ebc
SHA1 hash:
08277d382d8cedc9a56abd6feca7a58f866b6519
Link:
https://www.unpac.me/results/47fe5a52-feec-4565-85e8-90419c5f20c5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23cfd8c9a098/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2296219/
Cape
Cape
https://www.capesandbox.com/analysis/308766/

Comments