MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545
SHA3-384 hash: 9e50a15553c63fbdda53697c6a8e19c4a0f484e09d733123807bce4c8bbdcd02e9831dfaa0ff7f1a4f61a83abb6a3d50
SHA1 hash: 892a03611e263a0c759e6e3e4061cb5a9602d10c
MD5 hash: acd926d76c200a9b18a2f2b13a780fb1
humanhash: beer-shade-uncle-spring
File name:01.bat
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:175'339 bytes
First seen:2024-03-26 07:00:49 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 3072:Py3HGtkwz6YvQZWD8W/NcCEgTfePftGNnvAa6A6MFNXt:QwzOZ3W/NQgTfUOnvA9AlT
TLSH T1DA0412C2B74FE5A748C8BA0DD863FCAC5FCC5139C6DE5B0A062B599FB9E455C6A23400
Reporter petrovic
Tags:bat Redline RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
01.bat
Verdict:
Malicious activity
Analysis date:
2024-03-26 05:55:41 UTC
Tags:
redline stealer
Link:
https://app.any.run/tasks/fc97969f-43fb-4ad9-9a13-2446f580f9d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching cmd.exe command interpreter
Launching a process
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Adding a root certificate
Changing a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin powershell
Link:
https://www.filescan.io/uploads/660272aff1c80c2d4d57e655/reports/042554f7-6a47-4bef-9ced-50eea057f062/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545
Result
Verdict:
MALICIOUS
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1415603
Signature
Connects to many ports of the same IP (likely port scanning)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415603 Sample: 01.bat Startdate: 26/03/2024 Architecture: WINDOWS Score: 96 36 Snort IDS alert for network traffic 2->36 38 Yara detected RedLine Stealer 2->38 40 Connects to many ports of the same IP (likely port scanning) 2->40 8 cmd.exe 1 2->8         started        process3 signatures4 42 Very long command line found 8->42 11 cmd.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 44 Very long command line found 11->44 16 powershell.exe 6 37 11->16         started        20 conhost.exe 11->20         started        22 cmd.exe 1 11->22         started        process7 dnsIp8 26 15.235.131.20, 39206, 49699 HP-INTERNET-ASUS United States 16->26 28 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->28 30 Suspicious powershell command line found 16->30 32 Installs new ROOT certificates 16->32 34 3 other signatures 16->34 24 powershell.exe 8 16->24         started        signatures9 process10
Score:
85%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-03-26 07:01:05 UTC
File Type:
Text
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rinp3frt74ecyragdujbm3lask6hhpwwmvc3hujut6v5y5j3avcq._file
Verdict:
unknown
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/240326-hs7x9sgf3t/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
RedLine
RedLine payload
Malware Config
C2 Extraction:
15.235.131.20:39206
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a1afd9633ff082c44061d12166d6092bc73bed66545b3d1349fabdc753b0545

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments