MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31c8b4c57c0c5a0a2682b0e30ae3a696fcbccea956b087d2a84122bc75457c77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31c8b4c57c0c5a0a2682b0e30ae3a696fcbccea956b087d2a84122bc75457c77
SHA3-384 hash: 403a3fa091a3799e1685dbe390165cc4e8c8053e61c5073bc8f3af1a9ea6bd6e4a6f96dd8b30431c3f0ecaac5b90c2a0
SHA1 hash: 785ffcd41eb52f27005a373de5f68c5c86002a9f
MD5 hash: 96682d7d5ef7ee4e1d11a7a738b6da29
humanhash: oscar-cup-mountain-four
File name:MACHINE SPECIFICATION.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:518'144 bytes
First seen:2022-07-23 00:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:2iYj31hPx8qVrxH/Pgp8AdaKGGHWwm7ONG6smw:ePx//M6GbmqNGe
Threatray 1'371 similar samples on MalwareBazaar
TLSH T1ACB4E09AA8AFE513D1708B36C4D3C56913787E16DAA3E74B3AE5318B45333E30646387
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
163.123.143.229:50230

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
163.123.143.229:50230 https://threatfox.abuse.ch/ioc/839167/

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293518/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot packed strictor
Link:
https://www.filescan.io/uploads/62db3baa0e298a94f3f03e60/reports/198e570c-ad44-43ec-901d-b2dfca000506/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9468a8e5-2820-420a-8ee7-c5ff4114d055
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039520
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31c8b4c57c0c5a0a2682b0e30ae3a696fcbccea956b087d2a84122bc75457c77/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 12:48:31 UTC
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gheljrl4brnaujucwdrqvy5gs36lztvjk2yipuviierly5kfpr3q._file
Verdict:
malicious
Similar samples:
2ebcf450b338e1219fed70f14634f2e2fa0ae27abdbbaaec60f86acefd3e6561
RedLineStealer
6ecc41234c9c627fb864d3de10169477884aab6d62c199141a1b1b2da8b7ff8c
RedLineStealer
7370349d22f65927955d817fde07a3c9e1b5235fe3091278ad6899d8026422e3
RedLineStealer
87f1846fd0df28e661944879a85756f80cc8b52de2dae5bd4a358ea62d59cd42
RedLineStealer
8c8804a51f249b24b1ae1ad4487ed7bddd999f2a38158ef789af1c215559470e
RedLineStealer
9c997bb5941de96a571243b7621bf577514cdc9818eb79b1116601fc31f3a17b
RedLineStealer
c7a1c76ba2e7804bef877ca99df2b560906ffe9ebc2cc789b3c260b04db51740
RedLineStealer
cc241fc34501296b9d528cc1a58bee76407a68a811f26705d868c76f496981d3
RedLineStealer
cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913
RedLineStealer
e7b7b828f1add6b862ccd69e5b0ecab7fc0926ed6e91f3f273c75a22edef2927
RedLineStealer
+ 1'361 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:xl discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220723-adq27sahhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
163.123.143.229:50230
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
SH256 hash:
8765d4f87889c3f81536ac504abaf977ab5cb908f63c29bbb95d105180a7de77
MD5 hash:
7cc82372b3492c0e016b2d1aafe741e2
SHA1 hash:
b9898aefa1c5496d13eb0a62bd48f3f1443b804b
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
SH256 hash:
9b101803a13f71c0bb97f15b87f5c2c73f270ecc8588d40f472b75bb7ab14f59
MD5 hash:
fd99ae613ec354edb3533049ecc1be09
SHA1 hash:
b383e4ccf5734fd22e9e2684220a966fbbe9fd99
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
SH256 hash:
974b77416cd7335a1316a84949c3058cad7572f4c758eb65d4acdd627874bb8d
MD5 hash:
745e16a30f7946375dd19cb66d7ebd7d
SHA1 hash:
4ea96bfc4c98382a886a06b629d52f69c20a5680
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
SH256 hash:
19f1caddcd101538a693c9a5511306a86889b61a2888786bc0e8b3496fb31d25
MD5 hash:
8850108714781bc35e95bd507bae2078
SHA1 hash:
0cbcf0e42da5ff61888c2336ad6f0570030fe741
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
SH256 hash:
31c8b4c57c0c5a0a2682b0e30ae3a696fcbccea956b087d2a84122bc75457c77
MD5 hash:
96682d7d5ef7ee4e1d11a7a738b6da29
SHA1 hash:
785ffcd41eb52f27005a373de5f68c5c86002a9f
Link:
https://www.unpac.me/results/eb294c92-5686-4041-9b0a-854884852860/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31c8b4c57c0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/31c8b4c57c0c5a0a2682b0e30ae3a696fcbccea956b087d2a84122bc75457c77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293518/

Comments