MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9
SHA3-384 hash: b9cfc39f759162756c6a291c75aba95882b2f1be0bbb48d34de65f757f846f51632be763866a7bca093778ba57b9b7b8
SHA1 hash: 8a8a4a2d76cf03d7f9c9c36af67bc332f047f967
MD5 hash: 9ded1b5b929a412ccb4e139d76dd315a
humanhash: lake-ink-oregon-washington
File name:67A38378609C0EB8141A74E7BAA052B01FF5734319B4E.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'539'948 bytes
First seen:2022-12-22 12:30:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JIlDUwddNcYQ3+DWvJx/rzHcYl0bmADANuoixtCTvM4Y:JIlDpQ3HvJ6YubP0N6xt8v4
TLSH T152F533BB01C4CCAAE2C49D7A2F74E7455755140A3A10296DF7321B87CB7218BF87AB2D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://78.46.254.202/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
67A38378609C0EB8141A74E7BAA052B01FF5734319B4E.exe
Verdict:
Malicious activity
Analysis date:
2022-12-22 12:31:01 UTC
Tags:
evasion trojan opendir socelars stealer loader smoke rat redline tofsee
Link:
https://app.any.run/tasks/2b5c80f6-5315-4388-9c78-df1bbbf211af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349035/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a44e07673d3bcb5ee0b795/reports/e288838c-6e24-444d-9f83-b674f6e25264/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13793e56-0353-4fe1-a499-6b13784391a6
Result
Threat name:
CryptOne, Nymaim, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139337
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772067 Sample: 67A38378609C0EB8141A74E7BAA... Startdate: 22/12/2022 Architecture: WINDOWS Score: 100 158 Multi AV Scanner detection for domain / URL 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 Antivirus detection for URL or domain 2->162 164 22 other signatures 2->164 14 67A38378609C0EB8141A74E7BAA052B01FF5734319B4E.exe 10 2->14         started        17 svchost.exe 2->17         started        process3 file4 114 C:\Users\user\AppData\...\setup_installer.exe, PE32 14->114 dropped 19 setup_installer.exe 20 14->19         started        23 WerFault.exe 17->23         started        25 WerFault.exe 17->25         started        27 WerFault.exe 17->27         started        29 4 other processes 17->29 process5 file6 106 C:\Users\user\AppData\...\setup_install.exe, PE32 19->106 dropped 108 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 19->108 dropped 110 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 19->110 dropped 112 15 other files (14 malicious) 19->112 dropped 166 Multi AV Scanner detection for dropped file 19->166 31 setup_install.exe 1 19->31         started        signatures7 process8 dnsIp9 150 8.8.8.8 GOOGLEUS United States 31->150 152 127.0.0.1 unknown unknown 31->152 154 Multi AV Scanner detection for dropped file 31->154 156 Adds a directory exclusion to Windows Defender 31->156 35 cmd.exe 1 31->35         started        37 cmd.exe 31->37         started        39 cmd.exe 31->39         started        41 12 other processes 31->41 signatures10 process11 dnsIp12 45 Wed12d3370475.exe 4 39 35->45         started        50 Wed12012a8fb2684.exe 37->50         started        52 Wed12faf99ad49381f2.exe 39->52         started        54 Conhost.exe 39->54         started        134 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->134 168 Submitted sample is a known malware sample 41->168 170 Adds a directory exclusion to Windows Defender 41->170 56 Wed12dc2ddf9464a8.exe 41->56         started        58 Wed1209f30d2721b0.exe 2 41->58         started        60 Wed121d95f16c.exe 41->60         started        62 7 other processes 41->62 signatures13 process14 dnsIp15 136 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 45->136 138 95.142.206.2 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 45->138 144 15 other IPs or domains 45->144 116 C:\Users\...\zdoBPjRfks1BZnGu8FSDW1Sx.exe, PE32 45->116 dropped 118 C:\Users\...\wqOhPqyHDivzXcB9pygABk5D.exe, PE32 45->118 dropped 120 C:\Users\...\ZjSxX8rkwcBlcoLYqch_bx7u.exe, PE32 45->120 dropped 130 13 other malicious files 45->130 dropped 174 Multi AV Scanner detection for dropped file 45->174 176 Creates HTML files with .exe extension (expired dropper behavior) 45->176 178 Disable Windows Defender real time protection (registry) 45->178 64 Conhost.exe 45->64         started        140 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 50->140 146 2 other IPs or domains 50->146 122 C:\Users\...\nG_Ise6PzfbiZFIHXG3ZrD1a.exe, PE32 50->122 dropped 124 C:\Users\...\UeHndcH1YSok50CiWySV86Di.exe, PE32 50->124 dropped 126 C:\Users\...\SMgPKJxiLPEdItb4qaMm3gWT.exe, PE32 50->126 dropped 132 13 other malicious files 50->132 dropped 180 Tries to harvest and steal browser information (history, passwords, etc) 50->180 66 mshta.exe 52->66         started        128 C:\Users\user\AppData\...\MerwmYND2jdyV.exe, PE32 56->128 dropped 68 cmd.exe 56->68         started        70 cmd.exe 56->70         started        72 WerFault.exe 56->72         started        74 WerFault.exe 56->74         started        182 Injects a PE file into a foreign processes 58->182 76 Wed1209f30d2721b0.exe 58->76         started        78 Wed121d95f16c.exe 60->78         started        142 208.95.112.1 TUT-ASUS United States 62->142 148 3 other IPs or domains 62->148 80 explorer.exe 62->80 injected file16 signatures17 process18 process19 82 cmd.exe 66->82         started        85 conhost.exe 68->85         started        87 taskkill.exe 68->87         started        89 conhost.exe 70->89         started        file20 104 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 82->104 dropped 91 09xU.exE 82->91         started        94 conhost.exe 82->94         started        96 taskkill.exe 82->96         started        process21 signatures22 172 Multi AV Scanner detection for dropped file 91->172 98 mshta.exe 91->98         started        100 mshta.exe 91->100         started        process23 process24 102 cmd.exe 100->102         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 02:48:59 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6ryg6datqhlqfa2ott3vicswap7k42ddg2oinhfk3ei776vs24q._file
Verdict:
malicious
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:tofsee botnet:ani botnet:logsdiller cloud (telegram: @logsdillabot) botnet:media13 botnet:she aspackv2 backdoor dropper evasion infostealer loader main persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221222-pp2emshf21/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
ASPack v2.12-2.42
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Tofsee
Malware Config
C2 Extraction:
http://hsiens.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
135.181.129.119:4805
194.104.136.5:46013
91.121.67.60:2151
51.210.137.6:47909
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bcf474b9-5978-4cbe-a4d5-8bc418705642
Unpacked files
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
659708b8b0e5a6ef147e8622feeb89cc6a5f6966280974cff0ecc931175e562a
MD5 hash:
b31bc3070560359ce5c4a94c01ee380c
SHA1 hash:
2d0cda4217d76528c0a72dd723845cf9f971f352
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
ac32075e9418da23b4342d184b0ad413d03d4ff9da468af1ba1c882f0bf07813
MD5 hash:
a8de8aafe63975713f3d4aba63d5f8fb
SHA1 hash:
cf0e0b80e65d33d16550d39c97fd6ddacf04d0d1
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
f64c777abab289837042feb8d86b12a83d48147591fee7c56853f4a9a7c8f6f7
MD5 hash:
d99f11897ec2e7dab1012bda897ca99f
SHA1 hash:
bfa60604743bfb97d965ebef9c7620708690f15f
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
f5b5ae995dbb548e71b90b0369a42d9221f4db326a4f424bdea21d0674c493cc
MD5 hash:
c28020efa9e2ef02b6a638d9655f6e4e
SHA1 hash:
b6cc6ef39f5f8ef3731a5b257083dd54c2657d17
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
375f1046be14d3de4b6d1de32f2bb3a26d08ae5f505dd45b674107fa85d44e59
MD5 hash:
5f1ae4482ae8d492787d8e2246b30b2c
SHA1 hash:
9f4e78ac7c0f27060ae4632908a2ef96ebf94bde
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
0a70b7f03c9d59ab9ae92885e9a6ae99ee380f7758936e3d595e4344940cabcb
MD5 hash:
971188359bd1f21466706e5da7bd8554
SHA1 hash:
9a4f2058ebc1cc154115a2c76b2fc72c9dabcf0b
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
3ecf76318f006cec466dbdaf29586875c898b3795f59ea19e27547147cb277c0
MD5 hash:
6af482f5bac5cb38d3fc4f56904ad680
SHA1 hash:
7efd3f5fdfbaaec7013cc4a785484d08a985e8b1
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
15ccdc39b2d48060bf985f8c9f9335edc2d2ed7c39d85834888cf4d5d560fad1
MD5 hash:
47e16ff30d8f68a83b7670b8129f56db
SHA1 hash:
70598939d56a35934f7e23942ca38fff8fc9d5d6
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
7587d271dd8a29dcb0d68c9f0f77224947cf52758238f5e57e42a3db753aeb40
MD5 hash:
f99d5d4e5cd349d1e136bb754b624b9a
SHA1 hash:
501fd918977d0d2d6994b4760610ebb49e486a3a
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
5098b05f7700e2c401db22cc01e59f15ee4bd626131dcfdab71a601bb359a7f5
MD5 hash:
1f9358d572b65e8532cf0695d79444f9
SHA1 hash:
867a487e6d317c2981e6c6645c24770067888291
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
9a2bd2affa4f61fddd2cf83eca1a9023d1275e71d711fee1bf78887097602193
MD5 hash:
955a84181beba0d5cebaaa096a2008fd
SHA1 hash:
4ba42cf5e19c66649ea2f9e23d26f168a9609bc2
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
Parent samples :
f06154d372fa1cd4d5e9c1d5956646c9b4dd80dab46ab1d47f057a0199f5e8f2
67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
193e48123404352aa554036a4ade29811012f712e4f767e881a342fcd876a7f2
MD5 hash:
fd3e8817c4a04991558513c5e39b4c84
SHA1 hash:
0d804c772406f54a33d2bd77efe3b802a1f2bdb4
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
11e1612b038a10a2a73fd27c4ce24be4f8ccabd777c068481b7fa530d4928b6c
MD5 hash:
17d181be3221834e3ca561c61859250d
SHA1 hash:
0dbf1199c6e11e344fec89a0fe109218fbcc8249
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
c2c12e72eb6af63881068d6a657711a4b71e05f1ba9ec3d054325b13acd94399
MD5 hash:
7ea7361edb9f9733019b12ab8975d3e8
SHA1 hash:
a294f4bc5f85404aac70dbe70fb093e625f83480
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
0c1ce0ad73aa1f4d714a6e155ee3292d4e866cd1f8d583c883cac07ad82c6e4b
MD5 hash:
213bba5fc9b12a6db80b79e67d659e4d
SHA1 hash:
18d8e7f7e60be61a0dd5b3910ce64a89c8b9ce96
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
SH256 hash:
67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9
MD5 hash:
9ded1b5b929a412ccb4e139d76dd315a
SHA1 hash:
8a8a4a2d76cf03d7f9c9c36af67bc332f047f967
Link:
https://www.unpac.me/results/10c98632-2776-44f1-931a-28ca44d845ce/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67a38378609c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349035/

Comments