MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA3-384 hash: 0f7d27cbe37dcdec76b6acc63545bd67917c2f2ba12ee3f459333e107d62c9b71d82716dc35a8faf6bcba9d45f6ab35a
SHA1 hash: a62d2494f6ba8a02a80a02017e7c347f76b18fa6
MD5 hash: 965fcf373f3e95995f8ae35df758eca1
humanhash: mars-six-ohio-vermont
File name:rqrba.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'487'264 bytes
First seen:2023-10-01 08:52:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 500aa68029ae375a898af1edb3f40b87 (14 x RedLineStealer)
ssdeep 12288:qbYbF8jzyivUBpqoZTaSKlzLR7EnRfaYRZAjTkYWtq67DQC4w4C9u6gohgMmOFwx:q+yzyicBpqoZTgVKfptq6PQMUAgb9/
Threatray 6 similar samples on MalwareBazaar
TLSH T1FE657D6379C4CFA1DEE2107642ECB510427DA4A40B2705DB97F45FEA87216FF2A3E582
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:77-91-68-78 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://bodegaycocina.co/novias/zip.7z
Verdict:
Malicious activity
Analysis date:
2023-10-01 07:21:08 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline ransomware stop smoke stealc tofsee botnet vidar trojan arkei fabookie miner raccoonclipper teamspy remote g0njxa
Link:
https://app.any.run/tasks/df402038-6780-4dae-ad61-6e07e4faae04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452448/
Detection(s):
Win.Packed.Pwsx-10008461-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6519336f34be449f011bd18b/reports/3fb31ab8-2f1d-4c7d-a117-09026b6eac35/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/904c84a8-a88d-4efb-ad18-43bf6bfb7c40
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317484
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-01 00:58:03 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlvldmwkxhyw256cilsp6hvzqpl6bjslpc25y2oyplzkialpj44q._file
Verdict:
malicious
Similar samples:
5fc5e961e2adc131d04cfb81d63320befe3165222505062f03d2d706b627f1a7
RedLineStealer
6566e4617f2b4a89c9d74943c195606280c471cc6a36242c209b831fb7a5db94
RedLineStealer
80ec921ab70600f8214f19be8afc2833fef6a29d6d9bc625e6296204dec649bc
RedLineStealer
84447b2534a241354998b6b6556f74c99775e160d0381466be29cfe8d804bf18
RedLineStealer
9daf0a520001583a07efd8120feaec2b265ff66765621486bab9008b5bbbf532
RedLineStealer
a7a22bca755a347a91faa5e15135cb07320bd0b1e73450f1ce4d73dad8fb77ca
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@ytlogsbot infostealer spyware
Link:
https://tria.ge/reports/231001-kta12abc32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
176.123.4.46:33783
Unpacked files
SH256 hash:
049f83a81d19a76be6ad28ae9cb003a80fabf6cf8e32d7dad8e5e758852e4ead
MD5 hash:
b1dc5dc7755f2f1572be56009b8ea767
SHA1 hash:
ff375b4fae4af3817ce9a4022993981e5e72eb83
Link:
https://www.unpac.me/results/35d252bf-6c4e-4cb3-842a-e650d704486f/
SH256 hash:
5443df0325421dd9043ca131e5ae2b8f714bdf1f776257f7bfe1aedbca306235
MD5 hash:
ae1f2561a45394edf3ac0db0a7a9a20c
SHA1 hash:
9f9fdd429aa146cd6cb5b5a4691b401d18fdcff5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/35d252bf-6c4e-4cb3-842a-e650d704486f/
Parent samples :
60654f277dee97fba63685cde51b03cf797e67333b3257b17f07961d33602947
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SH256 hash:
82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
MD5 hash:
965fcf373f3e95995f8ae35df758eca1
SHA1 hash:
a62d2494f6ba8a02a80a02017e7c347f76b18fa6
Link:
https://www.unpac.me/results/35d252bf-6c4e-4cb3-842a-e650d704486f/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82eab1b2cab9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/452448/
  
URLhaus
https://urlhaus.abuse.ch/url/2715619/
  
Delivery method
Distributed via web download

Comments