MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6
SHA3-384 hash: 4609536d9179e108cc103d0665d93459748ee51a7cadb6ca657f5e450faaaa33025696e34c2bbd2cfa3f330a9b45c09e
SHA1 hash: 85f4ec272f54e58007aed382973291aef789ba92
MD5 hash: b38081db438dc4757be31b71506d8401
humanhash: mango-fillet-speaker-zebra
File name:b38081db438dc4757be31b71506d8401.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'605'632 bytes
First seen:2021-02-15 07:56:55 UTC
Last seen:2021-02-15 09:54:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:cQazHSvi7AYaf+dk+gzYsptyXoTkxChx40SSR0o6y2:SzPAYaf+2JzYNBxChxTSSR0o6y2
Threatray 33 similar samples on MalwareBazaar
TLSH 3E7549D8AD89C9C2F9F2B5F09C05C96147A52C25A84CC58D0EF939BB85746D3EC1A0BF
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLikeStealer C2:
http://deffind.xyz/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b38081db438dc4757be31b71506d8401.exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 08:00:31 UTC
Tags:
trojan rat redline stealer phishing
Link:
https://app.any.run/tasks/f023d341-a13b-4479-b2f2-1a0b043720e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117144/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45729187.16740.17120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/607851
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 07:57:11 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
06c523efc119e25eb28a59b9778ef4f7d738bc6bcd701c696568719ba6e6cee6
RedLineStealer
20510b85596724711f8fb4c7111055086f6e44845206038fa7b7c4bcfebf2265
RedLineStealer
60a4e3f1d748ace4e6b82ba68fce30bf35b0f2e6bbbb9aa1e8d690c7406b744d
RedLineStealer
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
RedLineStealer
8b2c21c13d38bbf20fd65e3a6b840315e14d60c0dc7e131104a5ea8b73699953
RedLineStealer
ab726a7fa6bca9c0d71686c601534a575530461a42160f7c74e3eae694f64012
RedLineStealer
caee9387d7ef6216014c68f4acb557c2eaee0b6e9dd79141288eb1d9d06bf30c
RedLineStealer
d8b71994b025ebed63397309543305e2fb8f463025eb94b020abce565d346329
RedLineStealer
e401a949ac7801d662b4f05acb3dc55e604de12632f032c6efecbc607a848ba9
RedLineStealer
e4284aaa6ccfa009dd95cc4d35c49f592d708453dec75a41390caf26781e638f
RedLineStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/210215-ft4ewxm3n2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6
MD5 hash:
b38081db438dc4757be31b71506d8401
SHA1 hash:
85f4ec272f54e58007aed382973291aef789ba92
Link:
https://www.unpac.me/results/480ffdfa-8dc0-4efb-af12-3fad90295e1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 82bd69c7b58c486211c511d719f44cf734ddc90d062431ef366d77f32557b5e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1001099/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117144/

Comments