MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
SHA3-384 hash: 820498250007c5c997e2be1e9754d347b24005d79bf4456d4752ee8fab1cb1907d2d99d995275a1eaf58cb58c6fa5429
SHA1 hash: 769b8bdcd4e87324fc7b05d07b600842ceba3aed
MD5 hash: 12f9806ad64e90f6276302e3c023fb71
humanhash: winter-jig-hawaii-enemy
File name:12f9806ad64e90f6276302e3c023fb71
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'120 bytes
First seen:2024-10-16 23:55:18 UTC
Last seen:2024-10-17 01:00:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 48:6LaoejN+CAc+CJrjV6CIndMh0Dc7bVrricqDsKrQ7tieK8CNJjpfbNtm:QWNPAc+CJrR6a0Dclri3DADNizNt
Threatray 2'761 similar samples on MalwareBazaar
TLSH T1D0B1941093E99736EABB8B75ACB393405770B722D917CF1E39C8225BBD177940D02EA0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
484
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
09d0e438a6a8666361559becb0359e5f
Verdict:
Malicious activity
Analysis date:
2024-10-14 17:13:25 UTC
Tags:
stealer redline evasion lefthook metastealer opendir loader rat asyncrat remote
Link:
https://app.any.run/tasks/c55c9402-8a8c-47ce-8cd0-afcc63908a03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29720.9751.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671052931d4ef219fa638a53
Tags:
Powershell Infosteal Redline Fareit
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit
Link:
https://www.filescan.io/uploads/67105293842a513f3c6015cb/reports/22a6edaa-1882-41bf-a00b-17bcbd19cfb5/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0d2fcf3a-8e9e-4711-a664-cbd92e5dd787
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1535521
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1535521 Sample: rthh9q2PDv.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 13 other signatures 2->106 9 rthh9q2PDv.exe 15 6 2->9         started        13 Adobe_Install_Updater.exe 2->13         started        16 Adobe_Install_Updater.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 98 87.120.127.223, 42128, 49704, 49705 UNACS-AS-BG8000BurgasBG Bulgaria 9->98 92 C:\Users\user\AppData\...\tmp40CA.tmp.exe, PE32 9->92 dropped 94 C:\Users\user\AppData\...\rthh9q2PDv.exe.log, CSV 9->94 dropped 20 tmp40CA.tmp.exe 15 5 9->20         started        132 Multi AV Scanner detection for dropped file 13->132 134 Machine Learning detection for dropped file 13->134 136 Writes to foreign memory regions 13->136 24 InstallUtil.exe 13->24         started        26 cmd.exe 13->26         started        28 cmd.exe 13->28         started        138 Allocates memory in foreign processes 16->138 140 Injects a PE file into a foreign processes 16->140 30 InstallUtil.exe 16->30         started        32 cmd.exe 16->32         started        34 cmd.exe 16->34         started        36 cmd.exe 18->36         started        38 5 other processes 18->38 file5 signatures6 process7 file8 86 C:\Users\user\...\Adobe_Install_Updater.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\Temp\build.exe, PE32 20->88 dropped 108 Multi AV Scanner detection for dropped file 20->108 110 Machine Learning detection for dropped file 20->110 112 Found many strings related to Crypto-Wallets (likely being stolen) 20->112 116 3 other signatures 20->116 40 4 other processes 20->40 90 C:\Users\user\AppData\...\Plain_Checker.exe, PE32 24->90 dropped 114 Injects a PE file into a foreign processes 24->114 43 4 other processes 24->43 46 2 other processes 26->46 48 2 other processes 28->48 50 3 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 56 2 other processes 36->56 58 6 other processes 38->58 signatures9 process10 file11 118 Antivirus detection for dropped file 40->118 120 Uses ipconfig to lookup or modify the Windows network settings 40->120 60 conhost.exe 40->60         started        62 conhost.exe 40->62         started        64 ipconfig.exe 1 40->64         started        72 2 other processes 40->72 96 C:\Users\user\AppData\Roaming\Yftssfzf.exe, PE32 43->96 dropped 122 Multi AV Scanner detection for dropped file 43->122 124 Machine Learning detection for dropped file 43->124 126 Creates multiple autostart registry keys 43->126 130 2 other signatures 43->130 66 cmd.exe 43->66         started        68 cmd.exe 43->68         started        70 conhost.exe 43->70         started        74 4 other processes 43->74 128 Found many strings related to Crypto-Wallets (likely being stolen) 50->128 76 4 other processes 50->76 signatures12 process13 process14 78 conhost.exe 66->78         started        80 ipconfig.exe 66->80         started        82 conhost.exe 68->82         started        84 ipconfig.exe 68->84         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78/
Threat name:
Win32.Spyware.Redline
Create hunting rule
Status:
Malicious
First seen:
2024-10-14 16:58:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjnww2rnttleb5m2jr7nlcwtxpcue2balxjyte2w6xfztkjvfj4a._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
415501cba527ef5e011fd0c180e45545b7602dc25d76a3d0752220f207861baf
RedLineStealer
8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
RedLineStealer
8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
RedLineStealer
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
RedLineStealer
c1a7adbef8fb6d94955cbae7dd0dd5c2778eb4cb45e56b73ccc772274bcb55da
RedLineStealer
cceaadb5aa4d335ca8ebd30919df8933bd7a493ffce6e298204859e1c0577114
RedLineStealer
cf5fa96f42120ec1a33fac86ac171e1fe669b05b2e35b51e2e24249650f9a2b8
RedLineStealer
error
RedLineStealer
+ 2'751 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:7772121777 discovery infostealer persistence rat trojan
Link:
https://tria.ge/reports/241016-3yz5tszhma/
Behaviour
Gathers network information
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
87.120.127.223:42128
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a994869e-92af-4777-931a-a05872ef5d21
Unpacked files
SH256 hash:
8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
MD5 hash:
12f9806ad64e90f6276302e3c023fb71
SHA1 hash:
769b8bdcd4e87324fc7b05d07b600842ceba3aed
Link:
https://www.unpac.me/results/76b89bb6-49d0-45b4-9593-3ec513ef316f/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a5b6b6a2d9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3238661/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-10-16 23:55:19 UTC

url : hxxp://87.120.127.223/RLPR_DL.exe