MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0
SHA3-384 hash: 9d3785947c41450788bf0bb33c12cf14c1fad386796c838399c68d6a51174875d0aad58a5222de4750c159e7f1da4cb9
SHA1 hash: c0de296e73ac1edc7638bd4b1baef41087ef05cf
MD5 hash: 4ee4571022db781701c6ed64786fc089
humanhash: coffee-kitten-nuts-finch
File name:SecuriteInfo.com.Win32.CrypterX-gen.15440.30226
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'323'520 bytes
First seen:2023-10-20 11:49:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1bdc00bcc92fbd6b687e759c6e6d6f7 (3 x RedLineStealer)
ssdeep 24576:69x7GtQ1dlriqB2oXWGIuXe3+1G7I2qXx6:6z7riqB2IyuO3
Threatray 386 similar samples on MalwareBazaar
TLSH T13F558C6039C1C221EAE2207697FCBA3523ECA07407976DCB09D896FDDE606D16F31D5A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.15440.30226
Verdict:
Malicious activity
Analysis date:
2023-10-20 12:21:57 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/f6dad2a8-3862-4b37-b129-fb0bec8bfc00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.15440.30226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6532696bcd0633254b85df25/reports/b4e06a83-355d-49f4-b48d-91aaf146fc3b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1b6e64e-fc3e-440a-81a5-8185d0fe7621
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329257
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-20 11:50:06 UTC
File Type:
PE (Exe)
AV detection:
12 of 22 (54.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rig4jduvvag5vv5xo67mbkhhkv2h2tla4iwpbotpciqr573gn3ya._file
Verdict:
malicious
Similar samples:
203c314e7916381a2839cf85744febf7919d0267a33d7831f8239aa191cf9892
RedLineStealer
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab
RedLineStealer
6b6313d5140932e57c8b775f5bdd91925d61e4003126352155d045637d3d70d8
RedLineStealer
90e574804204b26a7a56a54d56f44660131015bd4f4dbd58e42717634cc442ae
RedLineStealer
9b05dd809ce00e1f1e9c79cd9216de50322ec66df8b3f50ce3e36b31266439c3
RedLineStealer
a23543464a64fea0ed91623e16dc9631a2274c4a4f929a04eacf149590c6c448
RedLineStealer
cf254832f21bb77a35543ce4e9a0871ff448205a35cd572300d0e3dbd0049e14
RedLineStealer
d66922b28048229f0d1700f944e7b94e282f99d838524e6a8f85f6bdee8c3424
RedLineStealer
+ 376 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/231020-nzkzzaca44/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Unpacked files
SH256 hash:
27c7ca27a7da85821e3603a427592c002a594dbccd9839a97f73609d54877287
MD5 hash:
4f63338a01540840055b339753ea1a93
SHA1 hash:
6dc5ac20a47a54246799468ad336ac0857507d07
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ce1cd3de-73f7-44b3-8977-d465a0f70621/
Parent samples :
5a891161ce4d76b8f7eb0c0ad3ee500c6f2149735e3eaedaabc267d18ce7bc4f
186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0
6b96f6652af99c513bbe89a4c5e61e2729aa1f67ce0c0c3d0ca28d2959dcd82c
SH256 hash:
8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0
MD5 hash:
4ee4571022db781701c6ed64786fc089
SHA1 hash:
c0de296e73ac1edc7638bd4b1baef41087ef05cf
Link:
https://www.unpac.me/results/ce1cd3de-73f7-44b3-8977-d465a0f70621/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8a0dc48e95a80ddad7b777bec0a8e755747d4d60e22cf0ba6f12211eff666ef0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2722584/
  
Delivery method
Distributed via web download

Comments