MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209
SHA3-384 hash: e3f790af5a7ffe60deaa12c4ad5faa3f9903e06c996a44b7a6995344e224df31fd41ce0ad1f455cdfdf98829e147148e
SHA1 hash: 9f7511e0f83e6581aea8e67e20683e0c3245bbad
MD5 hash: 123fa52c25ad9286156ff0129f76093a
humanhash: salami-juliet-enemy-jupiter
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:328'704 bytes
First seen:2022-11-04 04:54:05 UTC
Last seen:2022-11-04 05:49:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1051c5c269e04ba2ccebe2101efbec9b (8 x RedLineStealer, 6 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:MjU398YLeqvy942lae/ckhplY+EFXxtNUJmMPAsBDbWNnARVAJ6:8tYBm42J/dt3EFX/KFfBDbWNgAc
Threatray 9'334 similar samples on MalwareBazaar
TLSH T13064021135C1C872E33255798A15D6F1ABAFB9B14A34978B3FC847AD8F352C6EE24306
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d8d87cb476676304 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://193.106.191.25/MicrosoftKeys.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-04 04:57:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/393a4bfe-77d8-45dd-97e4-e8dc1834b7a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/328332/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.28430.UNOFFICIAL
Create hunting rule

Win.Packed.Ransomx-9976466-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63649b26775605b3a4f3895f/reports/22c7d219-2dfc-4046-96a0-9bfd951668c7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca4a7fa6-595d-41ad-a0c5-9b633f6b5e6b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105136
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 04:55:07 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5znkawvxdjsgidq3ht7fnzbm2fhtnktcofalnwc4xojaylpaieq._file
Verdict:
malicious
Similar samples:
46dadfe3313c41df5855c1c03b2e87a319deca82894a78c3772e3f51007480bc
RedLineStealer
54463c0cd8c8293d0230818fcc7eaa2f54c149cbfc0be7984e08ee619831f941
RedLineStealer
713bbca426452a68e0c09c6e38666d585ef62b1867d0119150eb9a15ffb27406
RedLineStealer
75e137a50cc5a7b2b2ef476b704f471dc75b9b35f55e75af325ef445fdbe10a8
RedLineStealer
8540bf2c4f74a4ab1b9cf19ab897de3b409aeff6b93c942e8397377aaa77809b
RedLineStealer
a57e91b1e89315aeabc5feca272d222cbf8732c3c602c8d30b0452311d411d31
RedLineStealer
c3aee3ca9ae334fb355f4f82de954bc736c6b2f4c9c24be523c432c36b63b6fd
RedLineStealer
f962efafc2a1c0b5d8afe541943770189a761add54f068aab012a44fa40a8809
RedLineStealer
+ 9'324 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221104-fj4hdadefl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.25:47242
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1790236a-e73b-4886-ba3b-72dbeed16942
Unpacked files
SH256 hash:
51892d247f4f58d22ff8200462f5b3c868a9f6b8a94b4df9dd2f58d0b577c5a9
MD5 hash:
71b425ef67ab42737177e4bea2dd661d
SHA1 hash:
a0d4950e8cccfcd4a15e8ccaa68a97a7501c405b
Link:
https://www.unpac.me/results/51c3f0a6-a0a1-4e64-a2d7-8a2616543b2b/
SH256 hash:
298662bcb95f8f6b9a3baa60ac5b08633ba088e1ebce5138b648dc551e690fca
MD5 hash:
2e0087e1d39a4212fec48bcb1f863e37
SHA1 hash:
7110d9b358226d73af10a8c01efa1d907a77c8d5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/51c3f0a6-a0a1-4e64-a2d7-8a2616543b2b/
Parent samples :
2e2c53a60b2a7dc5aa73f4bc5dd62c8cd8869243238e494e19c15786b0e39b63
3b158211fdab7460072279d094fd0fcf25b3f2e189946b551d22c0458e29dea2
909b6e1970be1561aabc23da4c18e43f23f6b3c1651654772ba8ac62c2f9281d
246c7642fbb938fffe931b5115eba4654129cd240df3e6e121bb4a562445fade
41ba630d872de2e11573fc56d0d35f660af4400916cf45339d9bfbd6ac61ac1d
90e64544da42b11abb629557f43535b1ce4c13610a4f078c042d37142fbcfb2d
fba5999240e9d2cf60ff1ef03af8b50eca313e7b21a37168157fba32ce40bc9b
110d02172093238b0d2776d689f6e36d4dd076c13499c1b5046e744270dd321a
cc8e0791e465f95d9fd3f169ceefa5ed49cf43dcc7382e8a2481882dd4898d8e
2433efe22c2f5de8fe7f6e93c479bffd699a3bad3bbeb6907324c26207e890f2
5f18710df865427fef9a24625c4febcbfc6d3392d875139ffc4fe82f46a21762
665deaef12c56c5cc87ce42a50b1362ff2947d50d73029352de27284740731be
87b3cfc024e5d82cf72d644685c84b774e8fef207d47679c35896190c0dbfb81
1c74605c75bd8e876ec7dafd8b9c575e0ec314091cb398ce2257b003aa329bdc
0567e895043cc9f6f2e5f7f181922b461e4786c8986619692c1da09500cde004
73e00576d92ddbd12289d91c7058d5a6dc204166553524a8e078d1ee28e22805
f3f4f79fa871f6c25aa4783a5ed6f50863cb87144050d305778faa9e56feb915
a456ac864e05e7e87ba18dea38ae0f787977b53f6de67eb3e4edb95e460f14c9
4ffc1a3a76f88000005e3a31080416ba9dde13cff6dfa0b4fb4dba6d0a5b9752
740261f3723c26ef79900e8be0c48923c22594756e90c56d653ed17be15d4ba8
8f0d919db4bd161024c7aa5987fecd56af2c251bfa54e0e61ae9f96dc5b437ac
ba3a496df23cb27c37b3765e630c4b637f3b82166621589e953906b1ca29b049
5125c0ea2e1e5eff909165567edc350ba64d21715b5dc5681d46abc8e86bb99d
eb18a8feed7cb2b314eff1ed673ef169800e7915b8b645f781afe2eb749fb5f4
ae4d56ab56cdc1eb59748e85230a584e4485ecf1c427a2b9b234afde5fe7f560
fa8cdcf833c5ba9277d5cde65c48492650b01d3f2a71f9cec04f4c97b970fa41
46dadfe3313c41df5855c1c03b2e87a319deca82894a78c3772e3f51007480bc
83825646d0f03e119b6402cd493ccf1ef4b59be8607a5677a81f68aec0924e9c
75e137a50cc5a7b2b2ef476b704f471dc75b9b35f55e75af325ef445fdbe10a8
1af661ce71738403b1e3861e085615a9d6ee7a4a7d210f557df08d8574ead065
d735036291d4dde5630ad5542dd7d31e777b815786c21feda98805ccdede73cb
815a93b429108d6001a17611a5fc8effdd391852b24a41f534e6d298fe09f7a0
e25d259eca841d0a9d43df091364169b3ccc1281bb7faacc9f3bd0db7eb6b4fb
3bbcb9ffb6f43869baa3073237c68c8274b4b209069f103be8490e7e6a94265a
9eb00fa68cc2a641c2ec67224dcb168d6d527c3113182c57bbfc35036a038bcc
f962efafc2a1c0b5d8afe541943770189a761add54f068aab012a44fa40a8809
a57e91b1e89315aeabc5feca272d222cbf8732c3c602c8d30b0452311d411d31
8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209
84b8a951e5388864b214a41ee5b93bfb697539d3e8f36213519205f01f3101ba
4be6bfbd453c88b0774b4e7e0e18f9dcf8e34100d69297b3d4f0d5c5a4006f8f
SH256 hash:
8ddc4e7fc854e80d6e804f4d51a89756b756958ea2562b422513005cdbe56aae
MD5 hash:
73db388ea5561e03cc9a1f9dd801ee73
SHA1 hash:
05422a8e87925b2951f2e1c0e2eb7275096850d4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/51c3f0a6-a0a1-4e64-a2d7-8a2616543b2b/
Parent samples :
2e2c53a60b2a7dc5aa73f4bc5dd62c8cd8869243238e494e19c15786b0e39b63
1d23a044889676bab59b51cdbdb61c78aaec1838c8209398b9672f0c7bd5b4a9
3b158211fdab7460072279d094fd0fcf25b3f2e189946b551d22c0458e29dea2
087bc7fabc185aeecb627082cce57966d073d91de197e7766946c942bed778a5
9d0bdebeff7003de5aa7fdc480ef78d6f091799884d8505db2e2c74959b9b4d9
909b6e1970be1561aabc23da4c18e43f23f6b3c1651654772ba8ac62c2f9281d
88a6b0da29095e523e90ea9208d0389b0fc9b0617d126a3a310137d7a0796646
246c7642fbb938fffe931b5115eba4654129cd240df3e6e121bb4a562445fade
41ba630d872de2e11573fc56d0d35f660af4400916cf45339d9bfbd6ac61ac1d
90e64544da42b11abb629557f43535b1ce4c13610a4f078c042d37142fbcfb2d
fba5999240e9d2cf60ff1ef03af8b50eca313e7b21a37168157fba32ce40bc9b
6f834842294a87caa8eba0926c8d7dd28de4f57bc600ab7a36f9335edd1d03c8
110d02172093238b0d2776d689f6e36d4dd076c13499c1b5046e744270dd321a
cc8e0791e465f95d9fd3f169ceefa5ed49cf43dcc7382e8a2481882dd4898d8e
2433efe22c2f5de8fe7f6e93c479bffd699a3bad3bbeb6907324c26207e890f2
5f18710df865427fef9a24625c4febcbfc6d3392d875139ffc4fe82f46a21762
c975e6ed754604daf8f682cce9fa9edf5e90da11532ef411d783f4d7e29205e0
665deaef12c56c5cc87ce42a50b1362ff2947d50d73029352de27284740731be
87b3cfc024e5d82cf72d644685c84b774e8fef207d47679c35896190c0dbfb81
1c74605c75bd8e876ec7dafd8b9c575e0ec314091cb398ce2257b003aa329bdc
0567e895043cc9f6f2e5f7f181922b461e4786c8986619692c1da09500cde004
73e00576d92ddbd12289d91c7058d5a6dc204166553524a8e078d1ee28e22805
70064de268e807091e92588d45aebff114e48022b43e039567fb381a51e0efdb
f3f4f79fa871f6c25aa4783a5ed6f50863cb87144050d305778faa9e56feb915
a456ac864e05e7e87ba18dea38ae0f787977b53f6de67eb3e4edb95e460f14c9
4ffc1a3a76f88000005e3a31080416ba9dde13cff6dfa0b4fb4dba6d0a5b9752
caac87fc43eba8bf526e57aa8f6982778092807a30439b00b03ab9552f3af66d
3270b51a5f3b011eacb969c79784734e40c8c7fcf3282beb091a196cfd99f64c
740261f3723c26ef79900e8be0c48923c22594756e90c56d653ed17be15d4ba8
8f0d919db4bd161024c7aa5987fecd56af2c251bfa54e0e61ae9f96dc5b437ac
ba3a496df23cb27c37b3765e630c4b637f3b82166621589e953906b1ca29b049
5125c0ea2e1e5eff909165567edc350ba64d21715b5dc5681d46abc8e86bb99d
eb18a8feed7cb2b314eff1ed673ef169800e7915b8b645f781afe2eb749fb5f4
b78b9ef128443d4c1672adc3c22cfab9c16b3df5d4db6ddb5d865bc3ee238edc
ae4d56ab56cdc1eb59748e85230a584e4485ecf1c427a2b9b234afde5fe7f560
fa8cdcf833c5ba9277d5cde65c48492650b01d3f2a71f9cec04f4c97b970fa41
713bbca426452a68e0c09c6e38666d585ef62b1867d0119150eb9a15ffb27406
46dadfe3313c41df5855c1c03b2e87a319deca82894a78c3772e3f51007480bc
83825646d0f03e119b6402cd493ccf1ef4b59be8607a5677a81f68aec0924e9c
c3aee3ca9ae334fb355f4f82de954bc736c6b2f4c9c24be523c432c36b63b6fd
75e137a50cc5a7b2b2ef476b704f471dc75b9b35f55e75af325ef445fdbe10a8
538ef16b83a2c3ab6951f9c7d7a58ac2f491abb15f3af682eedd018956fda923
4213230e4a8e023d630f7485dab6e27e9a86ae52952e4300b8d9417fa2a32344
1af661ce71738403b1e3861e085615a9d6ee7a4a7d210f557df08d8574ead065
b9467435e46a884005982db9894d3a04d88f170b18769ecba1a7145748016d6f
19a6fcd6ba12f86eb717e871872a46eba39dca0c3bdf9b2aecc97845f165b705
d735036291d4dde5630ad5542dd7d31e777b815786c21feda98805ccdede73cb
908de7467d5809a38e8d74700ef3a1ee02f9e22b2c7932d6cf4cc354f4180fb8
815a93b429108d6001a17611a5fc8effdd391852b24a41f534e6d298fe09f7a0
48bd642aa9e01215af810f9a794af11a59787d3c9cdb3f1b6913ee14a9a4423a
e25d259eca841d0a9d43df091364169b3ccc1281bb7faacc9f3bd0db7eb6b4fb
3bbcb9ffb6f43869baa3073237c68c8274b4b209069f103be8490e7e6a94265a
da2d54dde7e25c2c21139fccc389605ebf1812edfd7128479ae3d6608e58c0be
a2fbf4e5e4481ce64af4b9058e7f37ea2e9d500886ae5f9df9a9acf83c273962
9eb00fa68cc2a641c2ec67224dcb168d6d527c3113182c57bbfc35036a038bcc
54463c0cd8c8293d0230818fcc7eaa2f54c149cbfc0be7984e08ee619831f941
8540bf2c4f74a4ab1b9cf19ab897de3b409aeff6b93c942e8397377aaa77809b
f962efafc2a1c0b5d8afe541943770189a761add54f068aab012a44fa40a8809
a57e91b1e89315aeabc5feca272d222cbf8732c3c602c8d30b0452311d411d31
8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209
84b8a951e5388864b214a41ee5b93bfb697539d3e8f36213519205f01f3101ba
d82effcbe405f4824e5b6f6b6f909d4d93ab6ff74b1ca4e59528ab22d407d1ad
9a83e771b942fcb7070ac993a61ad41da88ba5ed5a8f1107db9579c1c79c9800
63cd0c5a00f80d30895e7ca127f5f594025fcebbea529247b3aabe186f96efec
4be6bfbd453c88b0774b4e7e0e18f9dcf8e34100d69297b3d4f0d5c5a4006f8f
SH256 hash:
8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209
MD5 hash:
123fa52c25ad9286156ff0129f76093a
SHA1 hash:
9f7511e0f83e6581aea8e67e20683e0c3245bbad
Link:
https://www.unpac.me/results/51c3f0a6-a0a1-4e64-a2d7-8a2616543b2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8772d502d5b8d3232070d9e7f2b721668a79b553138a05b6c2e5dc90616f0209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/328332/
  
URLhaus
https://urlhaus.abuse.ch/url/2396659/

Comments