MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd
SHA3-384 hash: f2312567a0564bf48c0fc8042e7533fd13687546e481ba31f45f149704665e907ad35e5f6846bf2e1950fd5900d03d2a
SHA1 hash: 79ad78940d2d15f6b8c7cc39f68c851c9a7350e9
MD5 hash: e7c5337c67ca59484ceea44a31caeeb6
humanhash: arizona-low-item-helium
File name:e7c5337c67ca59484ceea44a31caeeb6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:333'587 bytes
First seen:2023-06-18 07:06:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b08b8f2c51a828d36a7944c4db6dcc00 (10 x RedLineStealer)
ssdeep 6144:vgavM0Xy7kTjIAVGmVpehfPWl0uAGwguAWoLROSvLQx1He:e0C7GjzMmVpgW+wLROw+1+
Threatray 1'593 similar samples on MalwareBazaar
TLSH T1B0647C41FC64C530C48EF4720DA996B976A26DB9B663ADCF33087696C32DBC0A7EC055
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.97.73.129:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e7c5337c67ca59484ceea44a31caeeb6.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 07:08:42 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/606b6ea8-bc05-4e3e-be4a-e8fca49bdddb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400013/
Detection(s):
SecuriteInfo.com.Variant.Mikey.146607.8362.22333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91343/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/648ead1798ab90de14240dfc/reports/74426b9b-b03f-4ffe-8c8c-abbae52a57c1/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20700215-2ec4-4dbf-84e3-afa3698dac3f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256779
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-18 07:07:06 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbqiu5rmgrswsmjnlffxsrhuxhtmhbsy6okcjubyo5edn7irhs6q._file
Verdict:
malicious
Similar samples:
2f16b4c767d1af66b07b21302e2a8e066d55dc12c099b1b8d8011707f5880bbf
RedLineStealer
3526c978b146f74305e09db87dbbb0c2e1f0843df2cbd219ef8a65a40305169a
RedLineStealer
41f6b8bb06f5551cb02b8fc1a49e97b377a0e46db6f66c6de45fc85195cbe012
RedLineStealer
5c671a7a409c3a6f2d041017fc2a801907248dad36be8041050fae4a6c34a4fd
RedLineStealer
9f541515773e1630bdbcf4490cfd6b4e7998f3ef2e8d013dfd0eefdc08315642
RedLineStealer
a0a852b41f958b732bbbc16c41fc5958f8ae673fe963087e96340ed908b73214
RedLineStealer
b96d28c0c43a8bc8c124dfbd69b03e2ea83c698024a7bd4e3770a2465e425c44
RedLineStealer
cde7d34e8a6fdf62f45f927164eeebb49f512d78806d1ddd41dcbc00aacb3b51
RedLineStealer
ce55223338e3acebb4d25f0f8f4aece72ee62d9bf862d329b79c6e378e93f04e
RedLineStealer
d9c3d987d5cdc3dc964080516de392e870fcaeff898c60c28d2799e17c61464b
RedLineStealer
+ 1'583 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:jason discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230618-hxmswseb36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
83.97.73.129:19071
Unpacked files
SH256 hash:
33a81da57e572f1561236347d8beb3b0eb093b1b7962b4bdfb76427a04437bbc
MD5 hash:
f0a3f72e05ee322dea33e35fb5ac5cdd
SHA1 hash:
90149866996186fe9d94c1e3eb5156dc3c6d8ec4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/4840d7ab-4e40-4d32-9f92-5d8c8b789d70/
Parent samples :
1e1aa0b00559445d9b507c8e3bb1d1c0173ed4b960fcdd66ed630cd0ae012eda
4865bcf291c5629fbf94730d91c13429e77664b1c865b85c49b09fd9671bbc5b
5ea65da532ee70eabf6ce6745c285d5128ecb4cc7f49a28452d437a33b52e71b
9beee2d4848622c5bb3686e2a73de440a035a92b902965c051f2ec00d89a0855
9456c0f1d340d89235a3b4c2bea52961d5c800d788e60cfeb7cb80341b1975fc
a8d458f09e64e73810d4883609484f0eb69d32be5ff3df3953bf5dbd8e91739a
b6515d33c444e4c201feb0111927e260ca6ec188fef7abe26052f4af9e560b48
cbdeb8735187ad12456992918f44b405c1104c4862e1cec49614dea7929d79ae
e3a666a1e70b62d4acd36f81abb22a8d522cc33a5b9e476bd6c1d7ae75c3c096
d1960cecd43b18f2bba88cf2d8792a4f2f40ae777317ee704ac2bedf1601a963
48d982c4069e5935d6cbefdb362057a7eeb525774fee32cd2c89f05feeaf9164
84250afc3aceb11c177e01b8683fa4e4d9d3b2674fb4df84b2053bc7de8116f9
c8452dee5f248c46b6b0bfc142a896a49a136d20b99a313a5b5ea83d03e5f25e
23c797de3816ea78b55e97b5376171ba1b2004b9798dbc178f93830f9e15c3e9
89150cc6b1fec12b8f3343f2053f3e6f9d1dbc3b36f306e1ecca104863b6550e
16640649c532297d5f95bb14ac50616b3a58684e4d6f5a88d2a7b6b92c1e9c64
b1fb32eda328ccce253eaf7d8c4b8618b293cb1d79cee628ea405731c02f7679
afa1add708e314472aa8126b1b00e1f61acd66c5d4ef3703b2c27953057f7e2c
3f16e6050c09d6247941986d1f427159f9f2bb7877429f13239530a7ca6fb92d
8fc72a15483121e28d32cd20923a66e78453a34830d7d5de0d91ceab32d370ce
58cb16b794f00f8441d07562d6198c804a0cf18eebc9ee192a4973094cc88e4f
51f2d68eabfbeb31fc017b7a24f03db0a1c4e51a429cef54f16a4511c06ab820
29c3aad8996c57a1e662321369198c86604e1a654358d02837285d31dc4a4fb8
2686ce6be518271fd03e269dd4fb351a1b8dce41aaa79ae78a5718b4ae146cf2
8a83601c02dec8e4f90c49d828e5371b1b91e1a3c37eb8b973339842d79c9e5b
f21eabd7c404e87ff69bf50d64b1ba55000ac340dec5f9ef6746fb0d73452543
d6891cddd005e7ca41b6a500c1885a049ddfade5b9e7f6f9d3e794fd22af47fd
c68fd52d4107967cb24e81629ff2e9766f8c45884450471764ab7e083281fa76
cada464030fa323cf8a19f9ea570b96fc4e89273c2601492fd969f43a4a7a1eb
8925a2ab412e7856502fd7325cf4b5ad029bf977588e5d3ff4da620c22c359eb
3bb3dad3e9fb2c91ff244073bb5b8f35464d81f3218e1fe3ebe9f4ccfd796631
305d0c4c38e9feba4734b2216b767eaa0dd19eae298c3f9c153f373853c4db13
6746d63d5df8f4a5bf39aee66a578785a20a929e3e5bdf73acb323601af1add1
3dfefa770cf6ce4a134c0000d208fb755716b5e8c237d278f0125b294df48911
c918143ff5d0c03e5c412cac4d173a0ffa8bb92fe4a3715ab87bd3d64108dfe6
80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd
78f0cd821b6e0d331c9e186d66ca04c8766789c0b351c3bfd4c1b44f912e5920
b9bceb31efc256f9218952d1068995f53ea0493f74ef81b1ae4d68dad508ea26
3b7ae6b4e5e3a76014fb29ec9ebb6e2add85961250df085eeff61bd48bb40851
4a509624369002589a8604133012f49600936974f8c21c09feeb24f2773ec0ba
3f2051ab0aeb47ce4bc6d231050b9a63f5c8dbd446952368caf0a21326db7a7e
a3881ba63bb6eee834f648f3cbf8bbfc536f756a5f89e6ddddabc6e6146c8c65
f1dde2cae132eb345e6be243fd1be1e33fc0d236048a9dddcea0eb9ade0c74e3
908d960690ca02be6f6f051d06b9f36c049be0133764c88431ef82ef60f265a1
0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3
cb59071c2d0d856249d3e61d1608c7d3540cf4c62452b73633e6ebb2be04a640
6d608750bbfc5f0b1d17c6b3b81134e47d554dbc0f8027cc6272fe25294ba055
931c056d2e79b9d6ae120ba950d6f0f7bbfd1dd8e7f2c9f4968def362e5367c0
fe8011920fad19637bb245f3373bc15d3fe3d95d002cf36bae2c250af6a30ccf
d2fa637a9aee590049f846268be2fe0480a8106c780b8c01a06849558563dca2
44f2a10c1455e6ca8bf034f3971aeb2f5088b9cd4d8001e5297ed28e1a190932
7f181c4cf11e21168b8a0b7f60a012c683f845904379ab5bbdccc6dbe2d24587
f7fe840da7cd741193c468d5c1d335213d37eb288ebab27d7ae073c35d534067
cc0cb5e7f82ff2fcd0ab620eb50db924c5b5da99299a7e9fb8c32d6ba838162a
0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f
b4607aae407434f45df102dc0fbc48eb94f57bdd730b54de7f9794d513803562
a0c7f743c592d393632dfbe907cde342f6943643496df124c63ed3972a2b7ed7
670178005a929a57eabb27779652cb9a79ce489f1b56480632935c7009741530
b364aab9f80ba2c65cc76ee48eb9ac71420f9386c5de0894dd7f77d6414f7ee0
671b6e0375fc885da99ce2c51370fc7fb99f077c970ed0a396036fc2a34edd3e
8f541dd0c30d47d2382340a2c42ad7a12b76c811765027bf0bc0ccfe9b57ca31
4a5a315b924ff04334593bbef8019695c4ef0a75b317c2422ff66f921db436e6
a2559e8863443f7e8fe12d466e331b19b88141f5eb134d6f640195a1de89408b
52d62d22db57f9a53a9a924ce26d5a441dbbf2140ca78f86a705c1a3a82075b9
56962d43a4995cf51e78893baa3709e8c160203f215774bef5f27f4140645e4e
5113e298d4f3603da4800cc0918868c2bd7d2a3baea3de898231e8aa927a0f12
98e6f328e026d4ae0241c766af9e4cf8cfe4b6d694fe01acde39f175eb973d6a
6b39f104620e96a5e7581443fa92a1d0bb321ba8005e3d246b276115e2eb96a2
67da3e8ccb76e565dc1a899bb96b5d51e16db231eccfe593505ff15af29e5ae2
76f29168e447c07f9b92d42c94bd164bafd9cfd62dc96de4551debf3cab1bbfd
fcd4323f0cb3a00811f2681835769dbbae1d6ac49dda54e6a6c6feebc0bf4422
ced0eeac3a6f50e7a6eceab34a08c6aeb61e2f761063e7b9f21d4f4011f82527
58ea163a29ce693a1d145dc052090e346d8f4c98ef984865084814e8fc75c7c1
164b7bcce9d3b679eda6efe23601b7d9a4871814a397e93966efda4fb05fe2b1
23917ae4d25e4318bc8e4faec6fc20662d8cb7e9d8658538fb5aaf3eb745d572
4dc4de4fd9c3d668813affa1996971c63a3b49d784dfa587ffcc564f1a6af65b
7a681f53ed33db87b62ae308fe287a5626758529ea7696c91b42fb5b8c97a165
b17a7f8d5cf0e6d06d3c8bc355ee2a18a3a413ca5cfc7ad40d9884d6f7e05b40
44f427bdd489ad5f9d796ec4ce9f1e808b75340e44b21c06b2f1dd8c4b8dda49
7aedd4e4160594456de8d0b13cf6424d7d842d62a9f1d827f55ee3cc39de9481
b78440d7f0883e037a1eb57319c4735e627d0f6e5201200323a69a34cfe83b0d
c238520d436c5d8f2b77a21e5472161540494daeba6e2885ebce194db0e2e1e2
d7dc6d0e5f0e4cca35a949271e84204b166fce5a81f6a052bb948806fb35ed53
1299acb9d4b5e82da6dae5e586b5ad0996cad140b8075701961fd32b22363113
SH256 hash:
dc6b410a36d8ebbbd94b57be5ffccfb3d88392e265798cb51391e0b85fbea6be
MD5 hash:
a1c1105e31242a54f04c690e99e884a0
SHA1 hash:
1aebab9ea73d2765227c4b933461e050fa8fc853
Link:
https://www.unpac.me/results/4840d7ab-4e40-4d32-9f92-5d8c8b789d70/
SH256 hash:
80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd
MD5 hash:
e7c5337c67ca59484ceea44a31caeeb6
SHA1 hash:
79ad78940d2d15f6b8c7cc39f68c851c9a7350e9
Link:
https://www.unpac.me/results/4840d7ab-4e40-4d32-9f92-5d8c8b789d70/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80608a762c34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 80608a762c346569312d594b7944f4b9e6c38658f39424d038774836fd113cbd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2654756/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400013/

Comments