MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8355e066ae48e210654ca5bf8d75af256562ea2a039a81b71d99350994ad5a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8355e066ae48e210654ca5bf8d75af256562ea2a039a81b71d99350994ad5a63
SHA3-384 hash: d6e4c264cdd17fcb711289aa9ca2ad13552392634e6498dd437f3fd733ff7d966af048cb93c501ff8606cf1aad1f079e
SHA1 hash: 13e1584094c306f6c15c9606a01ecf92bec8289b
MD5 hash: 7d130e1d4a480a536499d5b10cd66021
humanhash: fillet-failed-item-red
File name:8355E066AE48E210654CA5BF8D75AF256562EA2A039A8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'245'696 bytes
First seen:2022-10-24 20:55:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5fb44131b18bc2538c1611ac718dbe5 (15 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 24576:TcLtWeOjdpB3qHYYiYNWYaQ7oMLsd/q4z+fsyQ9MD:TcLtWJjdp1qohcsylD
TLSH T159454C3AE71614B4D7635772C58EFB7B9B147A248022AE3FBF4ADA0CB5330126CC5256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
8355E066AE48E210654CA5BF8D75AF256562EA2A039A8.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 20:57:51 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/5e437d5d-624a-4000-a7c1-8edf7b5adc05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323651/
Detection(s):
Win.Packed.Redlinestealer-9968104-0
Create hunting rule

Win.Packed.Redlinestealer-9968112-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45149/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2739ee3-d83a-47ba-ae47-c70eda091204
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097004
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729644 Sample: 8355E066AE48E210654CA5BF8D7... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 105 goback.delivery 2->105 123 Snort IDS alert for network traffic 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 10 other signatures 2->129 11 8355E066AE48E210654CA5BF8D75AF256562EA2A039A8.exe 1 2->11         started        14 svcupdater.exe 14 2 2->14         started        17 chrome.exe 2->17         started        19 chrome.exe 2->19         started        signatures3 process4 dnsIp5 159 Writes to foreign memory regions 11->159 161 Injects a PE file into a foreign processes 11->161 21 AppLaunch.exe 15 11 11->21         started        26 conhost.exe 11->26         started        121 clipper.guru 45.159.189.115, 49702, 49786, 80 HOSTING-SOLUTIONSUS Netherlands 14->121 163 Machine Learning detection for dropped file 14->163 signatures6 process7 dnsIp8 107 185.215.113.83, 49697, 60722 WHOLESALECONNECTIONSNL Portugal 21->107 109 adigitalshop.com 151.106.122.215, 443, 49700 PLUSSERVER-ASN1DE Germany 21->109 111 2 other IPs or domains 21->111 87 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 21->87 dropped 89 C:\Users\user\AppData\Local\...\test.exe, PE32 21->89 dropped 91 C:\Users\user\AppData\Local\...\ofg.exe, PE32 21->91 dropped 93 2 other malicious files 21->93 dropped 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->131 133 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->133 135 Tries to harvest and steal browser information (history, passwords, etc) 21->135 137 Tries to steal Crypto Currency Wallets 21->137 28 chrome.exe 21->28         started        32 test.exe 1 21->32         started        34 ofg.exe 5 21->34         started        36 2 other processes 21->36 file9 signatures10 process11 file12 97 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 28->97 dropped 165 Multi AV Scanner detection for dropped file 28->165 167 Detected unpacking (changes PE section rights) 28->167 169 Machine Learning detection for dropped file 28->169 183 2 other signatures 28->183 38 GoogleUpdate.exe 28->38         started        55 3 other processes 28->55 171 Writes to foreign memory regions 32->171 173 Allocates memory in foreign processes 32->173 175 Injects a PE file into a foreign processes 32->175 42 vbc.exe 32->42         started        57 3 other processes 32->57 99 C:\Users\user\AppData\...\svcupdater.exe, Unknown 34->99 dropped 45 cmd.exe 1 34->45         started        101 C:\Users\user\AppData\Local\Temp\321A.tmp, PE32+ 36->101 dropped 103 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 36->103 dropped 177 Antivirus detection for dropped file 36->177 179 Modifies the context of a thread in another process (thread injection) 36->179 181 Adds a directory exclusion to Windows Defender 36->181 47 cmd.exe 36->47         started        49 cmd.exe 36->49         started        51 powershell.exe 36->51         started        53 powershell.exe 36->53         started        signatures13 process14 dnsIp15 113 51.195.77.210, 443, 49705, 49707 OVHFR France 38->113 115 api.peer2profit.com 172.66.43.60, 443, 49704, 49706 CLOUDFLARENETUS United States 38->115 139 Uses netsh to modify the Windows network and firewall settings 38->139 141 Modifies the windows firewall 38->141 59 netsh.exe 38->59         started        67 2 other processes 38->67 117 t.me 149.154.167.99, 443, 49720 TELEGRAMRU United Kingdom 42->117 119 78.47.204.168, 49731, 80 HETZNER-ASDE Germany 42->119 95 C:\ProgramData\sqlite3.dll, PE32 42->95 dropped 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->143 145 Tries to harvest and steal browser information (history, passwords, etc) 42->145 147 DLL side loading technique detected 42->147 149 Tries to steal Crypto Currency Wallets 42->149 61 cmd.exe 42->61         started        151 Uses cmd line tools excessively to alter registry or file data 45->151 153 Uses schtasks.exe or at.exe to add and modify task schedules 45->153 155 Uses powercfg.exe to modify the power settings 45->155 69 2 other processes 45->69 71 11 other processes 47->71 157 Modifies power options to not sleep / hibernate 49->157 73 5 other processes 49->73 63 conhost.exe 51->63         started        65 conhost.exe 53->65         started        75 3 other processes 55->75 file16 signatures17 process18 process19 77 conhost.exe 59->77         started        79 conhost.exe 61->79         started        81 timeout.exe 61->81         started        83 conhost.exe 67->83         started        85 conhost.exe 67->85         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8355e066ae48e210654ca5bf8d75af256562ea2a039a81b71d99350994ad5a63/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 01:03:06 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnk6azvojdrbazkmuw7y25npevswf2rkaonidny5te2qtffnljrq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221024-zqz83saeg6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
185.215.113.83:60722
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
bd83fcaa6ef5f14aac035ea2551972b5cf07c4f87d79e3b3ae43c3ce04a3eb3a
MD5 hash:
c690db942db0a8b33119ea9893fe975f
SHA1 hash:
edff9584a3cbc849ef42de5d84f9fcbd463adaef
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c7734584-5a00-44c4-b357-c0eaf0d3e817/
SH256 hash:
8355e066ae48e210654ca5bf8d75af256562ea2a039a81b71d99350994ad5a63
MD5 hash:
7d130e1d4a480a536499d5b10cd66021
SHA1 hash:
13e1584094c306f6c15c9606a01ecf92bec8289b
Link:
https://www.unpac.me/results/c7734584-5a00-44c4-b357-c0eaf0d3e817/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8355e066ae48e210654ca5bf8d75af256562ea2a039a81b71d99350994ad5a63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323651/

Comments