MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 888e66cab511328f37470a99b5cb87cb20fe241541dd907f108f9d122dab1210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 888e66cab511328f37470a99b5cb87cb20fe241541dd907f108f9d122dab1210
SHA3-384 hash: ac96327300514901d83f535761acf3dd71b4c06f45b00f450976511af1e37c0b445ad8c99fd1b5e500004e7c94271876
SHA1 hash: d7d0a1bcb930269090a00c9b6b1e0ca9efb09452
MD5 hash: c2d0de5830a1a0ae1991cd1b6c0bc60b
humanhash: princess-speaker-nineteen-mountain
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'113'408 bytes
First seen:2022-09-17 11:58:00 UTC
Last seen:2022-09-18 06:39:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cdfba68edbb115e7aa5ed6776bb6546 (29 x RedLineStealer, 1 x MassLogger)
ssdeep 98304:GVjj538tGTXz2+e+me+1w0wdAhlZHdN93HjWDRobz24+jLJFA:AH5LHZS1w09TDLDWDRcz2PjLJFA
Threatray 14'397 similar samples on MalwareBazaar
TLSH T174163387989DE607FA7ED3B32553E938DEE85E60E55393844EB9304F8E0E9131F21294
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1cfc8669f0b28a22 (3 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc446543183_650775549?hash=1Y6pxX9AO4atk6b6b4awxI1ej6OPXxGqJXeOaL7HE4c&dl=GQ2DMNJUGMYTQMY:1663415233:VbE1FKZNFNoN2z0LXuDb2h2pLzqXs9XLmhUwiHq9Zbk&api=1&no_preview=1#chtest

Intelligence

File Origin
# of uploads :
12
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-17 12:00:07 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2ddcf5dc-6598-4fd4-a827-85a6220f22f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310928/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
DNS request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6325b651ce468ed26892a72d/reports/575e2245-1a70-486b-814e-3492fa2c3b95/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/305972f3-c1db-4c05-851f-58e82abcd26c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072230
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/888e66cab511328f37470a99b5cb87cb20fe241541dd907f108f9d122dab1210/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 11:58:15 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rchgnsvvcezi6n2hbkm3ls4hzmqp4javihoza7yqr6orelnlciia._file
Verdict:
malicious
Similar samples:
3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
RedLineStealer
5985533a2117f0818220a430091b3e71e9f7d06c275da1391fe0b58172e90bb0
RedLineStealer
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
RedLineStealer
bc36d8add91acbb8bf798b38630fce14593838f7b9e253051864d80317e54ecc
RedLineStealer
cae8b152c313b9001e9fe8d9879518fa1d7e709ddbc2809e276b177c19f63dfa
RedLineStealer
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
RedLineStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
RedLineStealer
+ 14'387 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/220917-n46r8sdffn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8dc1f3bf-225b-42d0-9e99-512bcbea2747
Unpacked files
SH256 hash:
ca90bb9ac0661f2ef96371f5b8451a99440f8c2ae5da42e79397265b8d54e52b
MD5 hash:
5ed85b1782a53b4a1ad16570c4a29aa8
SHA1 hash:
f3b1d8546f7d6cc3fe5d6b97efa1efd03d8d3d86
Link:
https://www.unpac.me/results/770217a2-b36b-4b68-a990-35d443e17f36/
SH256 hash:
39cb98d302d6f74ea5396971370ba2f418309d58e85d768ba5cec9091bf70eaf
MD5 hash:
033fc88367dd720bc3080f12793edf84
SHA1 hash:
4d52e3fafaad6436d4511e9fd48e1a29bfa67505
Link:
https://www.unpac.me/results/770217a2-b36b-4b68-a990-35d443e17f36/
SH256 hash:
ed922ff8c446c8672d3708be4cfaed9ca25d3d61a34c9c5b7ebe800602cb8636
MD5 hash:
7c3ddbbee58380b54a6ff42b32d37562
SHA1 hash:
aa222e969867b9347a6528cfaf4dcf6cbdacd0e0
Link:
https://www.unpac.me/results/770217a2-b36b-4b68-a990-35d443e17f36/
SH256 hash:
888e66cab511328f37470a99b5cb87cb20fe241541dd907f108f9d122dab1210
MD5 hash:
c2d0de5830a1a0ae1991cd1b6c0bc60b
SHA1 hash:
d7d0a1bcb930269090a00c9b6b1e0ca9efb09452
Link:
https://www.unpac.me/results/770217a2-b36b-4b68-a990-35d443e17f36/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/888e66cab511/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/888e66cab511328f37470a99b5cb87cb20fe241541dd907f108f9d122dab1210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/310928/

Comments