MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
SHA3-384 hash: 345530aa4a16153e57746ef506f087d2d15caa652098a8fe8ee82511b399b59e12fea4ad9956ee1443a6da15794db972
SHA1 hash: 1a7fc24cccaa5bfeae87446a22605a0a475bb409
MD5 hash: 0068f1a9d11db46097fae660005c1228
humanhash: kentucky-table-monkey-skylark
File name:0068f1a9d11db46097fae660005c1228
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:736'768 bytes
First seen:2021-10-21 13:28:31 UTC
Last seen:2021-10-21 14:27:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2a662be9dffc461398e7c94d0b55b4 (5 x GuLoader, 3 x CoinMiner, 3 x RedLineStealer)
ssdeep 6144:A7Ye0biFuvf739mHQQjpbjpS8qTh7ph6juyk4xVPEacuFO+KMMmC+Jau7TObuneF:A7YbvfQrR21rN/Fu9b4Ng7Fw
Threatray 2'277 similar samples on MalwareBazaar
TLSH T14EF4796F5BF837CBEFA1BBB0899A040255116B8316E103909A841B55FC7C51CEA4FB7E
File icon (PE):PE icon
dhash icon 71ccccd4cc79f2cc (1 x RedLineStealer, 1 x njrat)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1921292380.exe
Verdict:
Malicious activity
Analysis date:
2021-10-21 14:29:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c9ab13d6-5d11-4344-8ad4-e6f9b467cccf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199098/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47193987.22676.27291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61716b21a9d585e6d532008e/reports/1c25e519-fad8-4052-a41a-f6126ff4ef5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d7699bf-975c-4e98-bf08-33d3d81067e8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874595
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507021 Sample: 4lhSJEpdUA Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected RedLine Stealer 2->49 51 4 other signatures 2->51 8 4lhSJEpdUA.exe 1 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\Madder.exe, PE32 8->33 dropped 53 Adds a directory exclusion to Windows Defender 8->53 12 cmd.exe 1 8->12         started        14 cmd.exe 1 8->14         started        signatures5 process6 signatures7 17 Madder.exe 2 12->17         started        20 conhost.exe 12->20         started        55 Adds a directory exclusion to Windows Defender 14->55 22 powershell.exe 24 14->22         started        24 powershell.exe 25 14->24         started        26 conhost.exe 14->26         started        process8 signatures9 37 Antivirus detection for dropped file 17->37 39 Multi AV Scanner detection for dropped file 17->39 41 Machine Learning detection for dropped file 17->41 43 Injects a PE file into a foreign processes 17->43 28 Madder.exe 2 17->28         started        31 conhost.exe 17->31         started        process10 dnsIp11 35 185.183.32.227, 49715, 49716, 49717 WORLDSTREAMNL Netherlands 28->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 04:26:11 UTC
AV detection:
30 of 44 (68.18%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdmm7rkaroegtcljpskrujxbbr7m2yc3327tuqqy3wtqkmacxeta._file
Verdict:
malicious
Similar samples:
22c23de0a046b3652861d880ad53bbfca85448d0a6814d34151b1f359839dd37
RedLineStealer
2f1e386982e2eec222d82dc5a03c52a9ad81b097058c896937feb47c1ee0525a
RedLineStealer
4db98fd82c7587c5a3c69ecb7574596aa411cded0cbf8f623dd15c3299e0a30f
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
82c0fe6ee7c50aab66003d62b80181a69984dd2f46afdc0f0b264b4f9c087ad5
RedLineStealer
a4ea8ccb32a746e3315e35d366246545d6475dc48e8e43cf92da45bf5de0fe7f
RedLineStealer
bba9c79625e584f537b28492801b0d073408b2876a8500285205c99a2c0e8261
RedLineStealer
d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622
RedLineStealer
f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8
RedLineStealer
fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336
RedLineStealer
+ 2'267 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1.0.2.0 infostealer
Link:
https://tria.ge/reports/211021-qq8qsabcal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.183.32.227:51498
Unpacked files
SH256 hash:
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e
MD5 hash:
b8c0aa13740f17c223af874f41f446d1
SHA1 hash:
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e
Link:
https://www.unpac.me/results/85a1a198-2977-4749-a48d-c613321f4996/
SH256 hash:
e3ce81d7146d4d5c133383b858b33188d3f52cc5a54173e67f380be58e3b3c5c
MD5 hash:
5c86472f10dffc0962c638e3335ba9e9
SHA1 hash:
5de9847fe8b4a5bd9e4e071a0815afc0dba612c8
Link:
https://www.unpac.me/results/85a1a198-2977-4749-a48d-c613321f4996/
SH256 hash:
88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
MD5 hash:
0068f1a9d11db46097fae660005c1228
SHA1 hash:
1a7fc24cccaa5bfeae87446a22605a0a475bb409
Link:
https://www.unpac.me/results/85a1a198-2977-4749-a48d-c613321f4996/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1705157/
Cape
Cape
https://www.capesandbox.com/analysis/199098/

Comments


Avatar
zbet commented on 2021-10-21 13:28:32 UTC

url : hxxps://k4d5y.jelikob.ru/1921292380.exe