MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72
SHA3-384 hash:	0555a8ffd82d4f4b09619a1175d13b568f5ff8197442e69d28b70aa632a4885f15075df68597eb161c6f707b17ee3f65
SHA1 hash:	22ef89d7e3efe27e07901cecdaa74e66fcf8eb5f
MD5 hash:	08a51d7f67a8299d03aae8c54e05c372
humanhash:	eight-venus-alaska-queen
File name:	08a51d7f67a8299d03aae8c54e05c372.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	730'112 bytes
First seen:	2021-03-09 12:06:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:vJcmfzvf0+ib4hLwOjwdmiKnf4iUQb2kD8x4Tg:vKujub4hLBMjKf4i/2UU
Threatray	323 similar samples on MalwareBazaar
TLSH	EDF4D0263AA2C962E5483737D54B500C0734AD02FDB2D71FB9AC765D0A713D23A4AEDB
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

08a51d7f67a8299d03aae8c54e05c372.exe

Verdict:

Malicious activity

Analysis date:

2021-03-09 12:08:44 UTC

Tags:

rat redline trojan

Link:

https://app.any.run/tasks/973d5b00-e706-45d9-b353-c55fc2eaf6dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/123188/

Detection(s):

SecuriteInfo.com.Artemis08A51D7F67A8.27038.5236.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/632701

Signature

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2021-03-09 12:07:08 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

2f227912aff8b075c24231e4fd18051f8f5cbbba230810f3724de95e62fdba9a

RedLineStealer

75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82

RedLineStealer

9ab99b021cac114dbf496c1b48e7f704799a1ca7d8b1e7e4366743f2e0ebcdfd

RedLineStealer

badb1739d819774ec20371577cb5435f40fd9943258fb3fbff14f078884c58e4

RedLineStealer

e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011

RedLineStealer

e575af9a4b8de92d24859894514462f2c9ab0a5cb16cf1798a55c923613cd13c

RedLineStealer

e58ef47a566a73ad01ce7a37c178d1fce2a3282882f814997aab487200cf8005

RedLineStealer

e9a66c730fa980242a636338edc5351b82fc20ac3425b6bc1f3e4ec5ed8a5fe2

RedLineStealer

f8ecf503c77e2e7a97a626cb5bcd6954eca80c2a7e2963fd916ce9d0d17b8be0

RedLineStealer

+ 313 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210309-3q89jn71ge/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Unpacked files

SH256 hash:

5448b250ca69913d711c451bf0ac2876f629c81a67967110d0dbdb38db5fda11

MD5 hash:

56905a095234e467561d8ba69b87a510

SHA1 hash:

eb708012e85f31a6cf57de47cf6cd091eb191697

Link:

https://www.unpac.me/results/da1512e9-3aec-4b36-b95b-971481a86e5f/

SH256 hash:

613f76799e0c75b8e2eff0b0d0da44b63476ec5102f8a3337ebc33d6d34a2b8c

MD5 hash:

130d4b79f895d0e65722744579dad4ab

SHA1 hash:

ca5e40c1e87efef7ff099d27580ff69fbff28abc

Link:

https://www.unpac.me/results/da1512e9-3aec-4b36-b95b-971481a86e5f/

SH256 hash:

1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc

MD5 hash:

8f85df46a482b5b068ae7667bf1a33d6

SHA1 hash:

a210d369311aa4d709dc962c634174738576907e

Link:

https://www.unpac.me/results/da1512e9-3aec-4b36-b95b-971481a86e5f/

SH256 hash:

8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72

MD5 hash:

08a51d7f67a8299d03aae8c54e05c372

SHA1 hash:

22ef89d7e3efe27e07901cecdaa74e66fcf8eb5f

Link:

https://www.unpac.me/results/da1512e9-3aec-4b36-b95b-971481a86e5f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/993438/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/123188/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample