MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114
SHA3-384 hash: 2c87ba9a22fa43a9f163fc62844e021a546b629c4ebf16115bc198254a6c93ddbdd2895540e3409e736125b2d186f8e7
SHA1 hash: bfeebdf2f950b883d6858cb4234493ee5621589a
MD5 hash: caed3763fee7a60d84be09915e6ca4de
humanhash: whiskey-dakota-burger-idaho
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:222'208 bytes
First seen:2022-11-23 01:03:55 UTC
Last seen:2022-11-23 04:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f889c281b8c32c3abe6d39de60b78eca (19 x RedLineStealer)
ssdeep 3072:c84v790Lox+J4ETyre2xRc0jqr76OlnA9DMpYU4KZe8JbJ3Yl6PR+cpY8jwVS:cfvZ0Loqwe2xrjq6O4MJ4bM5Y4+cE
Threatray 1'585 similar samples on MalwareBazaar
TLSH T1F624AD1734C07131C45FC6B121A54BE7003FA6B367E6960BA30C9E1EB6615FA63A2BF5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin
# of uploads :
58
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-23 01:04:49 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e17956a5-ccde-4b7b-b21f-859108334aee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337391/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.20724.5306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Connecting to a non-recommended domain
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/637d718300c584752ee1893e/reports/d3a25c34-3a9d-4250-a9b5-50654ec8a4dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a690931-6b51-426f-b485-443f0bfde92d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119351
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 01:04:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qieo7eop7km2xdhqu47ejxdagj6kdqh56p6ig4as4cydxgqxqeka._file
Verdict:
malicious
Similar samples:
00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556
RedLineStealer
1c1b1d19e8811b999d628b5af81dd2bc87e8da7d9339b97af4511346b4d6ea3b
RedLineStealer
200bb7cb4ff972ed61d1f4d6b2893dc611e8aa1005bbba8b28d1b7e56f6677f4
RedLineStealer
338cc123ec7abe0d687cf0495afee191e9cc4a2a349356b659f048537536b8cd
RedLineStealer
46e18fad13ebfad29bed81f274e06e412972bf4ff5a30785cf7417386d16b50a
RedLineStealer
57bf65723e2e88cb15192a635854f6206d608dee41e2767a4e6b56d9f930dba8
RedLineStealer
b3e14be741aad18d69038dfff3faef9f99a0974df8d7032fdab383a30cadbedd
RedLineStealer
+ 1'575 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@madboyza infostealer spyware
Link:
https://tria.ge/reports/221123-bex3ksae41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.138:32796
Unpacked files
SH256 hash:
9dd5783e9f43622a87333d58ccedea122b3105b486cea24738341ef1c8405807
MD5 hash:
36609b0b49fed631b2975737adf6a54c
SHA1 hash:
a53f6e723d944242ce1dc3fb6b42d24a709171ef
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8b7e4dd8-3c47-4e49-861f-cefc1bd0e843/
Parent samples :
4793af5e6a701a792d1231a4207b99300825299b23955328972acbfde974e767
560e0662eecb2264719ca61bba61b346859bea504df1d56fcd3187bc9c76c127
75343ea11a86a196b2d96631f2ad6e356c174b7384bb65ee48a85127de6398a1
af01210f66e352694f6afa5e1ae902e8695ad97f64f20718e8a6b9f304b49205
f141b20a08ae1ee0caebf6546670eec63877fb24f9fa54f5dc9e7f49ff2227b5
16dc4e660bb8bad9fe37dfd3e48bab7186c534cb74038908761dc96fcf631b0c
e160c6a1598c4b3465b0a2399b72365dc98fc7303d0fb1df75efbef3dd47a7ac
82237a370ea8967bc2307c2a01d43714888b69eaae6f3e3aa0cf536cd3381cbb
3f37bdfc487c25b9a7b7ade0574a221cbc4c6976f8d5b46a2bcf08f6c0c5ed96
9a11305a7524bab8a9c9beba2ee51f9f3f43d3492d62404d16db4dad089c2a4c
c4a4d4a5ac19fdbeb6006a9cada8cf5874f3d54007c298ac0194d093cb27a8df
c3c9d57b69a22007ac8f0d953dd65a969ce5cd5b28bf32f01348d4c39d04cc97
f6e87692e433ad1d832706b4ffb04db9be5324aad182dbaca8771532dbd8ab43
3655cc3e4e09965e4e1d928ab39adfbbf48d2fe8a8b4ac82b1f7b5106d4b3060
4011f8505bd51033b7630c9bf8d3980a7ef32bff63d4cbb93a8670cd8970191a
d215e0f12d216e67363b0ebc350ef577d18394391ac2e67bd1be80b017c754bd
2001a40e77d8a37b42e506df3cdd3a86235dd96c98858269266b9dce091067f3
390d379f35583beb0d78a110c94deb8f9f1d86f044aeeab747941a6694a024f1
6daf7900ef4d017304e938a43288641ce01d198226d38ca1bbcb698174d1cc58
2df68056b556372617da4d90083f12ba94a356c2f5ed42de0538b4f7977beb47
bfa81a7cdd552a98409482bf39993652c5b01e39028c4d18236c55fe87fff9dc
11795c605b8b8d1577a59529f2d6eb3ef19a0a928ff9a6aa9ee2e7ba8911e6fa
63d2833a7277e21b3424b9c1a0cdbb3e0ffa351618d15571e042bab6ac0719ca
44823ecea45f731b47777588d5ef18c133b6ed1bd0ce02ef8271a84c7d2dd9d1
4fa7a289bbd1d429cd82588d82a7fabb7d7d860772a43d39a5c0c3b7048c9513
57bf65723e2e88cb15192a635854f6206d608dee41e2767a4e6b56d9f930dba8
338cc123ec7abe0d687cf0495afee191e9cc4a2a349356b659f048537536b8cd
46e18fad13ebfad29bed81f274e06e412972bf4ff5a30785cf7417386d16b50a
8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114
204d101b1ac41060d5e04d0aaaddac9330e9f71dfb838a48f066cd78e2e14069
f7f8331fdca8b5295b827ff019422c7e7cb230b2a44ff55c741cbf76bc3b5921
65bd762c2dd45d442278e1403bb99a14106699d1f74060333693439c189adb87
a551f426ce655d03096a708ffd0fdec2f2a73900ce7a2688669dd652373711d5
42cf041d4d3d613c8cb9fdef4d97ae376ba6aedee91334d7ba90cac8e406a915
8d12ae8f190f7aded36f1969061fdd1c3561fb57134a9337bf089004bb22d93f
3af19579e2c8eb86693ee66a7a8480341ac21c6a182f26019d55848ce331035e
940500749a001e36878aff9894508ae739fbcda7b2c86d6ec08114343641c7f8
8ff06f162af40677ce2ca5e03c1152917970948210b8c0046aeeacfc605ef37e
e7eacedacc384d3a016897ec73941f0631e677aceabd2d197699702450858b1c
9bf3326064cae1d3dc2eeba1047cced65ffdf6b25231bb50c92ccbf88471ebd0
b899357e86ada031c0193c56e29b2c9321970d6346be050b019ddfd800c0fee8
70cb9d5fe361f791922e3078552cc8bd92a232394a563c541f0364007411580c
SH256 hash:
8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114
MD5 hash:
caed3763fee7a60d84be09915e6ca4de
SHA1 hash:
bfeebdf2f950b883d6858cb4234493ee5621589a
Link:
https://www.unpac.me/results/8b7e4dd8-3c47-4e49-861f-cefc1bd0e843/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8208ef91cffa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8208ef91cffa99ab8cf0a73e44dc60327ca1c0fdf3fc837012e0b03b9a178114

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2403396/
Cape
Cape
https://www.capesandbox.com/analysis/337391/

Comments