MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3
SHA3-384 hash: 6b7bb225047ebc8a5e7cf8a1f3d883fcdde6fc3a1084526859c7b613d829dea6c57f9cef5ba35c98fcb15e34582fece5
SHA1 hash: 8d8c88430d7a43abb1b3772de1e5ba7093e46697
MD5 hash: df44df4cd65c0b0909ee7dcfbb8dc4ad
humanhash: twelve-snake-victor-florida
File name:df44df4cd65c0b0909ee7dcfbb8dc4ad.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'886'794 bytes
First seen:2024-01-22 09:43:53 UTC
Last seen:2024-01-22 11:24:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep 98304:CcCD7LKIfR0cxqHXetqlxyAR8EH7xdOBsk/zA9Q+zrAD5b/nCNJkF3NVg9OrfDt:Cj7LV09XetqPvKE9dY7A9QcrADxYJk39
Threatray 1 similar samples on MalwareBazaar
TLSH T16256339ABA41CD75F8077275A4F51E0287E509250FB83F4DB34CB9B23A32323955BA72
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
MetaStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472227/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2414.4407.1427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Searching for synchronization primitives
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65ae38e39d0df7771c90f137/reports/158a2a08-2a8d-4ea6-a095-72100bf94d54/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08618b93-05f5-46bc-9740-1d20960a1b72
Result
Threat name:
DarkTortilla, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378604
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1378604 Sample: 0IY4t0eqn2.exe Startdate: 22/01/2024 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 11 other signatures 2->56 8 0IY4t0eqn2.exe 3 12 2->8         started        11 Symlink.exe 2 2->11         started        process3 file4 42 C:\Users\user\AppData\Roaming\Symlink.exe, PE32 8->42 dropped 14 Symlink.exe 3 8->14         started        17 Acrobat.exe 67 8->17         started        62 Query firmware table information (likely to detect VMs) 11->62 64 Writes to foreign memory regions 11->64 66 Hides threads from debuggers 11->66 68 4 other signatures 11->68 19 AddInProcess32.exe 11->19         started        21 AddInProcess32.exe 11->21         started        signatures5 process6 signatures7 70 Antivirus detection for dropped file 14->70 72 Multi AV Scanner detection for dropped file 14->72 74 Detected unpacking (changes PE section rights) 14->74 80 7 other signatures 14->80 23 AddInProcess32.exe 14->23         started        26 AddInProcess32.exe 14->26         started        29 AddInProcess32.exe 14->29         started        31 AcroCEF.exe 70 17->31         started        76 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->76 78 Injects a PE file into a foreign processes 19->78 33 AddInProcess32.exe 19->33         started        35 AddInProcess32.exe 19->35         started        process8 dnsIp9 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->58 60 Injects a PE file into a foreign processes 23->60 37 AddInProcess32.exe 23->37         started        48 185.12.14.32, 49717, 49718, 666 SERVERIUS-ASNL Netherlands 26->48 40 AcroCEF.exe 2 31->40         started        signatures10 process11 dnsIp12 44 45.142.122.192, 16503 DE-FIRSTCOLOwwwfirst-colonetDE Russian Federation 37->44 46 23.54.200.159, 443, 49710 AKAMAI-ASUS United States 40->46
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 01:10:28 UTC
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=najnfryeuevafsd2lnyvf26dffgxd4ysmjdacfnchjgywxsmwwzq._file
Verdict:
malicious
Similar samples:
6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer link pdf themida trojan
Link:
https://tria.ge/reports/240122-lqgj3sdha7/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Unpacked files
SH256 hash:
28e501512f96eb5cf8e47f3b0fb9581fef36e402d7e257befc72f55c2b4c0531
MD5 hash:
30f56c12f9eefbf2c36404660d4da243
SHA1 hash:
e9683235170fe1e5d281c20d575c76cf3607640a
Detections:
win_ozone_auto
Create hunting rule
win_ozone_g0
Create hunting rule
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
720eb7865aa32950f28737087178ab60b13de358aeb838ede500c50f7235cc69
MD5 hash:
59ff3aedb3f9df07f7ed61aeec39d6d7
SHA1 hash:
d3df5789a205f7849ae626045f6fdb5a7a80da7e
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
b28f3af8552c7e4f36b0d86e69ce679a28cf1d80bf8a861c2a42d56e309a52ae
MD5 hash:
39df73881af84727b909881ebc0aec3f
SHA1 hash:
7d74f888063b7ec54d3f6ac7cd186a802e4e8eb4
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
SH256 hash:
6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3
MD5 hash:
df44df4cd65c0b0909ee7dcfbb8dc4ad
SHA1 hash:
8d8c88430d7a43abb1b3772de1e5ba7093e46697
Link:
https://www.unpac.me/results/868af241-2325-4cfb-8ff7-fc04130bfddf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472227/

Comments