MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25
SHA3-384 hash: b7f55667e03659f085a76cd5bd42d4aacc2cb85bcb51f456d8a6453377039b54e66f8d160166ca2efbce1a41a3593991
SHA1 hash: 3a2bbdb7a8b3f18e9fd1490151ca8d45f80544ca
MD5 hash: 975a9bca336900be1c816a516787deac
humanhash: grey-fish-utah-carolina
File name:LeezeyCore.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'505'792 bytes
First seen:2021-11-13 19:09:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 24576:Nso9RH/mf9cEQTHHlHXY3pHsCRXp1ex3YsHQFyO1iKsujdwo7ky9Dzlh891Qjh4e:6oLH/mf9sTHHl3Y3yCRXnc3rH2Td93lJ
Threatray 300 similar samples on MalwareBazaar
TLSH T1F56533BB3F24D5E9C14399F948467A98D32137D8AE94710BBEDB8695C42D4A7CC3C0AC
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205486/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61900d8ddec3347825a3c247/reports/59e45c73-b1e7-46b6-bad4-c3ed41bc4ab0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b137f4d9-e858-47b8-8213-a4f2ddf352a1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888595
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 19:10:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12518dab733cca4bb84f972aeb18d4b93430914316be53f581c06fd5c42a7050
RedLineStealer
1d1ad9014ce8356b997ff90266f50fb3314d7135e4cc9832128ebfa49f5b8aec
RedLineStealer
1fd73d2549cb9a36d4a27fd7ed6f9ba7aa0ff0e1103b4b96821de901152b118e
RedLineStealer
73b55aa960fdd55ead8274bfcfbb63fa919e67ef534b825196d8864a243a40dd
RedLineStealer
7d61f984aeed2f5bc08d55a88a18f7002049bafc046e3154831f728f961c4921
RedLineStealer
81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1
RedLineStealer
c467b23bf87c691ee2e68f4970d2bcb9af5e2523e960111671a2cdf61e203485
RedLineStealer
+ 290 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer spyware trojan
Link:
https://tria.ge/reports/211113-xvc81afdc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
3531b5cff925770bd67bea5ad3516176e4b83c704c16e76a92c830c709eae465
MD5 hash:
70e1cc9a5ebb2cd1d5a5c9351d57c4ee
SHA1 hash:
77056b54dffa2f95bebbd72ff72970217222daba
Link:
https://www.unpac.me/results/611cef05-d4f5-4a2f-91d3-0476a82d3ce2/
SH256 hash:
8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25
MD5 hash:
975a9bca336900be1c816a516787deac
SHA1 hash:
3a2bbdb7a8b3f18e9fd1490151ca8d45f80544ca
Link:
https://www.unpac.me/results/611cef05-d4f5-4a2f-91d3-0476a82d3ce2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8814614df444/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205486/

Comments