MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1
SHA3-384 hash: 41594f82d208d2dc7bb43af81ad2d00ecd9d05bd83b491080440b2ce6e34c54ad8488f3ddcda4f2dcbbccf1ebd5ae86e
SHA1 hash: 34f064e505a54360511c03767e7f73f410a5c9a5
MD5 hash: 8b208a26d01897373c8a430f3d2eb3db
humanhash: batman-texas-aspen-princess
File name:8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'237'800 bytes
First seen:2021-06-30 06:00:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:hdWBmy8Wq/4VlqK/7TrWTgio5C6OW9E/C1JUkDQ+56N2SmRa:jWgy8Wq/4N/7Trs/yuW26XQ+o
Threatray 1'048 similar samples on MalwareBazaar
TLSH 5145331786703443E2E39ABC956DCDEEAC70C26A13D0A7F362255A450DD8FD22A3D367
Reporter JAMESWT_WT
Tags:Amcert LLC exe RedLineStealer signed

Code Signing Certificate

Organisation:ESET, spol. s r.o.
Issuer:Symantec Class 3 Extended Validation Code Signing CA - G2
Algorithm:sha256WithRSAEncryption
Valid from:2019-05-10T00:00:00Z
Valid to:2022-05-22T23:59:59Z
Serial number: 65628c146ace93037fc58659f14bd35f
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 285799734b01dc7be2566c6dd6c52ce79735f33159c472297cf0ca3830f70294
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.231.194:58183 https://threatfox.abuse.ch/ioc/156101/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1
Verdict:
Malicious activity
Analysis date:
2021-06-30 06:02:16 UTC
Tags:
trojan rat redline stealer evasion
Link:
https://app.any.run/tasks/294cdca1-5e57-4b2a-ac09-87fa6b3a47ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168884/
Detection(s):
Win.Malware.Miscx-9874619-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d391a95-c8ed-4751-a199-8892d3b14b4c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809770
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442181 Sample: GamDzCDMI0 Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 6 other signatures 2->43 6 GamDzCDMI0.exe 15 31 2->6         started        11 DeviceMetadataParsers.exe 2->11         started        13 DeviceMetadataParsers.exe 1 2->13         started        15 DeviceMetadataParsers.exe 2->15         started        process3 dnsIp4 27 45.67.231.194, 49718, 49728, 49730 SERVERIUS-ASNL Moldova Republic of 6->27 29 api.ip.sb 6->29 31 anydesk-pc.website 176.57.210.144, 443, 49731, 49732 TIMEWEB-ASRU Russian Federation 6->31 21 C:\Users\user\AppData\Local\Temp\miner.exe, PE32 6->21 dropped 23 C:\Users\user\AppData\...behaviorgraphamDzCDMI0.exe.log, ASCII 6->23 dropped 53 Detected unpacking (changes PE section rights) 6->53 55 Detected unpacking (overwrites its own PE header) 6->55 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->57 59 5 other signatures 6->59 17 miner.exe 7 6->17         started        33 us-east-1.route-1000.000webhost.awex.io 145.14.144.209, 21, 49747, 49748 AWEXUS Netherlands 13->33 35 files.000webhost.com 13->35 file5 signatures6 process7 dnsIp8 25 iplogger.org 88.99.66.31, 443, 49736 HETZNER-ASDE Germany 17->25 45 Antivirus detection for dropped file 17->45 47 Multi AV Scanner detection for dropped file 17->47 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->49 51 May check the online IP address of the machine 17->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 00:43:42 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rba7jq2bxyysfngdsz5ais3yohjcuz4jr3rwyg4uxuedvjmnggyq._file
Verdict:
malicious
Similar samples:
1915126c27ba8566c624491bd2613215021cc2b28e5e6f3af69e9e994327f3ac
RedLineStealer
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
RedLineStealer
7817a0794693ad5eaffdc86ca9d8cf7350f9159433d376840e9f6cb6b9c60edc
RedLineStealer
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
RedLineStealer
bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
RedLineStealer
c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
RedLineStealer
c1f0ba6302099b8f7ef1ce28a333764efdd308cccc761ba4fcef2af386f13090
RedLineStealer
c2a69374fa77ae7fa54914c3ae95f0741ca0a17b09550f95afeed9303e2aa76a
RedLineStealer
db6c57acf61c5e3fc79190feca4683089f6a05b8af985e49361d25995178e4d0
RedLineStealer
e942c853f791a2ebd37ae59344bf8878d9a02cdcb83848a68876c49497c642d2
RedLineStealer
+ 1'038 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210630-n42zn5gqxs/
Behaviour
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1
MD5 hash:
8b208a26d01897373c8a430f3d2eb3db
SHA1 hash:
34f064e505a54360511c03767e7f73f410a5c9a5
Link:
https://www.unpac.me/results/791e7729-8b1a-4656-8a11-413bf2f66da8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/8841f4c341be3122b4c3967a044b7871d22a67898ee36c1b94bd083aa58d31b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_KB_CERT_65628c146ace93037fc58659f14bd35f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168884/

Comments