MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050
SHA3-384 hash: edb9839a3875801f25961b8d6591a2f7c5e916e332df464a68456ec73847169053da4f2781631d98c449e65947ca948d
SHA1 hash: 0af2a4db9fabdfce84f9ea4ac0b2d0eaebe2ef5b
MD5 hash: e519421b53d18996825361e1cc60724f
humanhash: batman-romeo-august-virginia
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'544 bytes
First seen:2022-10-22 14:51:45 UTC
Last seen:2022-10-22 15:39:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58e9f95ed6d92653f27682257d068dc1 (6 x RedLineStealer, 4 x Smoke Loader, 3 x Tofsee)
ssdeep 6144:3jL71YA2jpNIju8UZOBD3eFvCU1BIgXxKmBxQdrtrpGxzGO7TkKWtwYH7:3j31YAkedteFv51BLUmBxQdrtrpGxHW
Threatray 7'381 similar samples on MalwareBazaar
TLSH T1017401603983C472C18651714476EF9655BFE8B228A14D4B3B683BEDBE303D26A7B707
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 4b168e4ca64a3333 (2 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://91.212.166.11/MicrosoftKey.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.212.166.11:47242 https://threatfox.abuse.ch/ioc/915786/

Intelligence

File Origin
# of uploads :
25
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-22 14:52:16 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/359906a9-1aac-4607-bc85-163794f88397

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322688/
Detection(s):
Win.Dropper.Tofsee-9975524-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed tofsee
Link:
https://www.filescan.io/uploads/63540393339362a6061b462d/reports/46338583-1b55-4c93-a93c-9658bf98eab1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44e01053-6830-4db4-b793-d89361abea29
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095545
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050/
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2022-10-22 15:15:00 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qumkhw554sgcf5lv7pstf36qf7n7syzcwllwe2nvc2dqqvzl6bia._file
Verdict:
malicious
Similar samples:
081b0a7eb7b9e34765d38ad8a992519b4293365f3424d8557b04b46bc3381b5f
RedLineStealer
0d9623fa6d328b356a3799643b6fc4ac111d96ece622adebd10cbd4d9e7f0278
RedLineStealer
12d6e79f85ad8ecc661f26bd5aae8e1b93e8620f859bf52afe5dfcc084d9ad5c
RedLineStealer
16d66ec8672548b725ebebf03a80987b3acd9f714d5873226616e19d2beeb657
RedLineStealer
675a16619499fb548a0d2d3ef524d690827370570fb9f23a59d14f3e4cc848fd
RedLineStealer
8bcc52edc0cc9586df70520e675b1ce0860c8788245f05104170481be4c1c04d
RedLineStealer
ce227036ab094ced8e0c4b0251aef02a117e6aade33203293d427836474be920
RedLineStealer
+ 7'371 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dozkey discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221022-r8p7tsdfh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
91.212.166.11:47242
Gathering data
Unpacked files
SH256 hash:
53cc331473ada42e0034c0af527b28e184cd2c9bdf63928490be4458d753a289
MD5 hash:
5105229d6743f11b879099bb6a6a25e5
SHA1 hash:
7a99af596eb23f6d686c2786fc7328410a824138
Link:
https://www.unpac.me/results/40ff19c7-f101-405d-ac34-d5c0d62bad6e/
SH256 hash:
ac38bd1d935a4ac29323c57d8ac041bb0a2bb5b7e0cc87422bd95d95ab9d8fc5
MD5 hash:
0e2e1260120d2b3fb653b17aad8569f8
SHA1 hash:
770eb5f41b5318485180a65a849f484a3857e254
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/40ff19c7-f101-405d-ac34-d5c0d62bad6e/
Parent samples :
16d66ec8672548b725ebebf03a80987b3acd9f714d5873226616e19d2beeb657
8bcc52edc0cc9586df70520e675b1ce0860c8788245f05104170481be4c1c04d
675a16619499fb548a0d2d3ef524d690827370570fb9f23a59d14f3e4cc848fd
ce227036ab094ced8e0c4b0251aef02a117e6aade33203293d427836474be920
b9db7a724624df1aa5eba363058a2daed37379edf3ad3ba6e7f5adf28b4ea044
a86c24217a4f0bf89e690ae375f797dcd08d88f4d60f10c633cc12da1490f26b
0d9623fa6d328b356a3799643b6fc4ac111d96ece622adebd10cbd4d9e7f0278
12d6e79f85ad8ecc661f26bd5aae8e1b93e8620f859bf52afe5dfcc084d9ad5c
081b0a7eb7b9e34765d38ad8a992519b4293365f3424d8557b04b46bc3381b5f
8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050
ad79ff65468c5c8644e27c2ee877188c3e0f1961c003cd2562829b8e04e6e53c
003a9e32b95bb8360d1bebe5f0f569fb39c33bcfac0a3fcc085a97ae1390d5c4
4a9d44a9eb96a6fefffce293f2f377da03eb46f74d8b8aa2236bcdbdcff60e35
1966323ff15fee4a7b6ac5c948e0a039cef4e05af70865c1d9d3d2fe3bf40251
10b8405d9d920f87df2c6b22aef053325a861381e524375416881d38172a75a7
88e22ec73480121734da4ac2794ac54b553c2792f846ff6f0cfee87577de9103
afae41f0a238b37a8f47c1f120cbeeb988c556d2cc2197178eecc76495a327b9
a96538ece8662b0da63cbe74d64a5292dc5bd56f48bfe61cacd737bf8a18cb97
2f8a8173dd24b71394305d211084f8ee53a4492e58604d56c4968f91489a1236
49f47c2af13aecee38df115dbe564616d179c90767dc9f96893e953cad62828d
0c195d0caa454b6c7897ef8bf3ed318e1fac68d6b3e6d34724d5f735d4e0046b
415b5bbcace7b732413f38c4fb5ca37f8dc8b779d1830949d6a5c2b199d54b58
f4145c65b81d7c2b1fbb05979f4452ac47e91ecc8f3ebb1bca0bfaeb38f2b015
d59e9e7c481303c6954b84e2cb3784d26e680394e5f5c01f7f9cebfc3d0642a0
efe623cf0529d8251ec2f3c40c4878fe517f3087b585436d4736d0be71156898
277a5a09829de54f8913f3a9507d0472f889d3eaea6d0429dc094ff88115c714
575548b5adb43fbb4d2bb757f1c3bd9022db8e89cfa66999a78faa233ff463a7
7ded8c3cbfce23c85dcd9de203bce223e834de5de6f7e2bdc9da5eb901fc96cf
74fc89b29f0e235241bd295225cbe74b377620edd2677656a86a52d5d651ea84
02c67bae155217ff8c2b9851429a9133dcc600c3e7056438bdc8106ec82fba99
34924f6d7eb447e02b934214ccf60fa32170a18c9f073bafa19a5236322d2249
e0d9374be949be7e00c8f13fe238bfd56c9b7c31b95c707f1d0f033c443ad6e3
dba3b540e8c4340443247224b33923cf8fa5ba132aee92da29404c4e70269d9c
ff2d185f7b87c518c23ce4855e926d15b5a6d08d9bad2f455bc14784bd1532d7
6dd20652f201b05ba7c8e671d789046feee0ba098acf65d863da84f3b236f37f
d6264f23108ab79fd253a5d8b95ef01d65b6f270e01d0aa7aef38fd394c08d68
eb3b668ae8db9fb6eced456e9f56a4525fb70d18063e5142f26d263abd41bbfa
6926eeb39ee949db67eec12b16badb612fe4eefbf54b1173aab32601bfc74609
cfe7e8623ffeb3b2bbffdf26c5154738b4df9dc9d478b35ec1fb9d84c5646c75
d695c04a50d3681d65d65ccca6668d3a92104af1082d9bfaf532b74ab8fb1058
9a99e028f882f2cb640a0f3dbb550ba09430957a7cb86b0a20796c452a572da6
0830a8d926b55ae8e14691a9dfb398b84ee3231984e9f766ecb0fd7a8bfcd5b0
bfd531924282d888c2ba9a14c0335ab0438ab66129a5fac5f7965160f14c4a0c
2e538d9cd939da5ad0dc52874b631e9fe4557018cfad024bce1e85b8ee3d91f3
0d70227182c03284419b9c3f639e443fb79a986d46ddb16d6efbbcdfee7b4509
f0d1fb1cb1863b6c9053fca5925093bf4cadaee580d4c672396734e81c9f28ca
6605e08df3d69919194b4cc6174c467a5a4dadfee773cf30aac3148c32e57971
8515cb317f4f61f60155b347a0dcf3c0b816c7c121a029e5eed4c34b1d94c6c3
f5da3aea3fa5167083f6888395bd73101981b456902bc36d8e1a5d769b87af89
07aafa336750ed683f0ecbdc0ff918a9e712892cc1ede8ad186932fd3d582736
6bfef62c7b088ffe670ff8bdc8b139f2d1fa04e976b539a5dcbcdf41e7388453
08718d7824a831b51a6fd57b900b080eed0d82117b75b26b43220049181738b8
SH256 hash:
c56b72f04ec8956ee293d62abce93d17cc0dc7845a48f67ae06cf07aad3bf2ca
MD5 hash:
246ad4108e83e0385f26d8b340afd237
SHA1 hash:
444feb526ae001b1be71a9bedf4c35fc206c9092
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/40ff19c7-f101-405d-ac34-d5c0d62bad6e/
Parent samples :
16d66ec8672548b725ebebf03a80987b3acd9f714d5873226616e19d2beeb657
675a16619499fb548a0d2d3ef524d690827370570fb9f23a59d14f3e4cc848fd
b9db7a724624df1aa5eba363058a2daed37379edf3ad3ba6e7f5adf28b4ea044
0d9623fa6d328b356a3799643b6fc4ac111d96ece622adebd10cbd4d9e7f0278
8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050
003a9e32b95bb8360d1bebe5f0f569fb39c33bcfac0a3fcc085a97ae1390d5c4
10b8405d9d920f87df2c6b22aef053325a861381e524375416881d38172a75a7
88e22ec73480121734da4ac2794ac54b553c2792f846ff6f0cfee87577de9103
afae41f0a238b37a8f47c1f120cbeeb988c556d2cc2197178eecc76495a327b9
a96538ece8662b0da63cbe74d64a5292dc5bd56f48bfe61cacd737bf8a18cb97
49f47c2af13aecee38df115dbe564616d179c90767dc9f96893e953cad62828d
0c195d0caa454b6c7897ef8bf3ed318e1fac68d6b3e6d34724d5f735d4e0046b
415b5bbcace7b732413f38c4fb5ca37f8dc8b779d1830949d6a5c2b199d54b58
f4145c65b81d7c2b1fbb05979f4452ac47e91ecc8f3ebb1bca0bfaeb38f2b015
575548b5adb43fbb4d2bb757f1c3bd9022db8e89cfa66999a78faa233ff463a7
7ded8c3cbfce23c85dcd9de203bce223e834de5de6f7e2bdc9da5eb901fc96cf
74fc89b29f0e235241bd295225cbe74b377620edd2677656a86a52d5d651ea84
34924f6d7eb447e02b934214ccf60fa32170a18c9f073bafa19a5236322d2249
e0d9374be949be7e00c8f13fe238bfd56c9b7c31b95c707f1d0f033c443ad6e3
dba3b540e8c4340443247224b33923cf8fa5ba132aee92da29404c4e70269d9c
ff2d185f7b87c518c23ce4855e926d15b5a6d08d9bad2f455bc14784bd1532d7
cfe7e8623ffeb3b2bbffdf26c5154738b4df9dc9d478b35ec1fb9d84c5646c75
9a99e028f882f2cb640a0f3dbb550ba09430957a7cb86b0a20796c452a572da6
f0d1fb1cb1863b6c9053fca5925093bf4cadaee580d4c672396734e81c9f28ca
6605e08df3d69919194b4cc6174c467a5a4dadfee773cf30aac3148c32e57971
SH256 hash:
8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050
MD5 hash:
e519421b53d18996825361e1cc60724f
SHA1 hash:
0af2a4db9fabdfce84f9ea4ac0b2d0eaebe2ef5b
Link:
https://www.unpac.me/results/40ff19c7-f101-405d-ac34-d5c0d62bad6e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8518a3dbbde4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8518a3dbbde48c22f575fbe532efd02fdbf96322b2d76269b5168708572bf050

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/322688/

Comments