MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627
SHA3-384 hash: d4df28116bf0c75fb0fc14444ed3be3022596dde1d5e63256161e6456dfc7511b3c1dc8c6f346443d4af1cf9785b709f
SHA1 hash: c059334d7becada6015d5ee98f14fd5a7e35b03e
MD5 hash: f37bc82cabddf6a2435471b1ccaabd28
humanhash: leopard-hydrogen-video-west
File name:f37bc82cabddf6a2435471b1ccaabd28
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'102'123 bytes
First seen:2021-08-14 13:46:43 UTC
Last seen:2021-08-14 14:41:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 667e6d0f434d248524103ade13b913e4 (5 x RedLineStealer, 1 x CoinMiner, 1 x RaccoonStealer)
ssdeep 24576:RSLXvGxcpX6vR5lqSTx3QnPypPBwijZ4XyKFO1uY7m5HQYk:6OaYZ5jQn6VBwid4XyuqRyk
TLSH T1B9351302E993836AC153B7FE750CFA7440A58D3F471066C373B0FEDA69E8E899A15271
dhash icon f0e8aa868e96d0f0 (1 x CryptBot, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f37bc82cabddf6a2435471b1ccaabd28
Verdict:
Malicious activity
Analysis date:
2021-08-14 13:47:46 UTC
Tags:
autoit trojan rat redline stealer
Link:
https://app.any.run/tasks/8bc8aef6-6798-409a-ad92-8a4ab98fa48b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179236/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.23280.9436.3319.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.21296.11120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
DNS request
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34336699-b74e-44b4-9539-c07801210494
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/832898
Signature
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465328 Sample: Eqnf1R99fL Startdate: 14/08/2021 Architecture: WINDOWS Score: 76 57 Multi AV Scanner detection for submitted file 2->57 59 Sigma detected: Drops script at startup location 2->59 9 Eqnf1R99fL.exe 7 2->9         started        11 wscript.exe 2->11         started        14 eRvZmSJdOd.exe.com 2->14         started        process3 dnsIp4 17 cmd.exe 1 9->17         started        20 dllhost.exe 9->20         started        65 Creates processes via WMI 11->65 47 ZsOlgCDvrndcMghomKmKknuQKyI.ZsOlgCDvrndcMghomKmKknuQKyI 14->47 signatures5 process6 signatures7 49 Submitted sample is a known malware sample 17->49 51 Obfuscated command line found 17->51 53 Uses ping.exe to sleep 17->53 55 Uses ping.exe to check the status of other devices and networks 17->55 22 cmd.exe 3 17->22         started        25 conhost.exe 17->25         started        process8 signatures9 61 Obfuscated command line found 22->61 63 Uses ping.exe to sleep 22->63 27 Orlo.exe.com 22->27         started        30 findstr.exe 1 22->30         started        33 PING.EXE 1 22->33         started        process10 file11 67 Drops PE files with a suspicious file extension 27->67 35 Orlo.exe.com 6 27->35         started        43 C:\Users\user\AppData\Local\...\Orlo.exe.com, Targa 30->43 dropped signatures12 process13 dnsIp14 45 ZsOlgCDvrndcMghomKmKknuQKyI.ZsOlgCDvrndcMghomKmKknuQKyI 35->45 39 C:\Users\user\AppData\...\eRvZmSJdOd.exe.com, PE32 35->39 dropped 41 C:\Users\user\AppData\...\eRvZmSJdOd.url, MS 35->41 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 19:08:19 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quttwaw7hmlbczepagd5reh3x37nlbs7snctv4adughioknr4ytq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:felix1008 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210814-xhgyqfced6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.188.22.4:45689
Unpacked files
SH256 hash:
cf522cebdd69dc51303d17b0ff6c0a73af9013f97158dd75dd32eb6304a02cba
MD5 hash:
e7be1f251fabdc2111781199fa5eb514
SHA1 hash:
5e92d9a7178fdef9b5c99683a8e02617fe147b39
Link:
https://www.unpac.me/results/726b9e83-3d89-40d1-87a7-2c00ff75efd5/
SH256 hash:
85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627
MD5 hash:
f37bc82cabddf6a2435471b1ccaabd28
SHA1 hash:
c059334d7becada6015d5ee98f14fd5a7e35b03e
Link:
https://www.unpac.me/results/726b9e83-3d89-40d1-87a7-2c00ff75efd5/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/85273b02df3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 85273b02df3b1611648f0187d890fbbefed5865f93453af003a18e8729b1e627

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179236/
  
URLhaus
https://urlhaus.abuse.ch/url/1533744/

Comments


Avatar
zbet commented on 2021-08-14 13:46:43 UTC

url : hxxp://activityhike.com/files/felix1008.exe