MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0
SHA3-384 hash: 8a948eb5af1d1313297a0da70edbbf59b7d350b13ad2101b20c929a3aae14772f159cdeec3f6b56f008bdf8e81814ede
SHA1 hash: 9a5ff4f8ee17f3df850985bc4808dafcdf055b7d
MD5 hash: 5837b52998a15f3fd8b53f83d0381575
humanhash: blossom-cola-connecticut-delaware
File name:5837b52998a15f3fd8b53f83d0381575.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:395'776 bytes
First seen:2021-12-04 06:46:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 368e75ebba7f23963d6c358148415014 (8 x RedLineStealer, 5 x RaccoonStealer, 3 x Smoke Loader)
ssdeep 6144:ZPH9hGn1Dz+bd2CI9VBvXZeVbeYyHwk1CWQ:ZP7G1f+bErtvpeFenHp1
Threatray 3'656 similar samples on MalwareBazaar
TLSH T10584DF2275D1C072D09B68778861CBB18EAAB5711BA21ACF3FD80BBD5F247D1972530E
File icon (PE):PE icon
dhash icon d2b1e4c4ecb986f9 (3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.241.19.213:46284

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://shrinke.me/AdobePP2022
Verdict:
Malicious activity
Analysis date:
2021-12-04 04:21:39 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/998e1f96-84f7-4371-a045-c6c27d4730ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211213/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/744/overview
Behaviour
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ab0ee847ed217c0130c81f/reports/28ea8e50-7b2b-4aa5-92fb-5ebe120be190/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad7dbe01-c3df-4e6f-98a0-e3ac85c3c7c4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901312
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 06:47:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmbwnclchncg26hfgqoyt546prjbacg4coipzrkhpxvza6dyqdya._file
Verdict:
malicious
Similar samples:
1f1858f864bf3d7db8469dd2c095afc51689a77b7221bf8e5b639b194aff1338
RedLineStealer
61012d16ce5716684e6755935387994e4916d3fcdc295d2ac8f02e688581c2ed
RedLineStealer
7eec09749966b69d9eb49acb8e2d50925b3a4cc26d3051dca1dbe91888ca21ad
RedLineStealer
95edb1ae6bc853a40c0f6ebba3470b509409ce94e38096027dffc326d26cf1eb
RedLineStealer
cc135a653d43f5bf9adaf3f913761e807d2d701008b2e2249138bcef5a2f1a62
RedLineStealer
def1c6c0f612e6c8f33b57ff702fa14c8c36ca1fad55a00bd2f18789401c236d
RedLineStealer
e5127a9ede19896dc5b7d164dc332251b03e3189ba66a972ac47f74b4402399d
RedLineStealer
eb6bc4ede6a43e04723cbe0c1f6480f2c057c916e105d6b5665698a98f628a05
RedLineStealer
+ 3'646 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:udpn discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211204-hjpqbsdch2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.241.19.213:46284
Unpacked files
SH256 hash:
4fbabb708d043b641d6dce6b770b9f2c7dc39475dc240ba6ebff80f084b82295
MD5 hash:
a5ca74c6f82faead6d24dcde250525d4
SHA1 hash:
ae0754a38ab2494507017074d805f5dda7e1a285
Link:
https://www.unpac.me/results/b45fd455-f2ee-4eae-9fc7-9de0908e878e/
SH256 hash:
89498545c74d079697803eea5131de57c9ab3c5e362315c9d176879d396b7ffb
MD5 hash:
25f1b3785c3817d441d481e795d39a3c
SHA1 hash:
2dc787cb2385f093354efd45ce5ad5498c0f7ab6
Link:
https://www.unpac.me/results/b45fd455-f2ee-4eae-9fc7-9de0908e878e/
SH256 hash:
14468ffb4a7c03c4ae0975e2942cd5aed4bed4ea422f150df39fed87bc22f091
MD5 hash:
0877917441bf162620ffb8599e3c485b
SHA1 hash:
172be7c10124ab861f364f7e669635c338ae8a66
Link:
https://www.unpac.me/results/b45fd455-f2ee-4eae-9fc7-9de0908e878e/
SH256 hash:
8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0
MD5 hash:
5837b52998a15f3fd8b53f83d0381575
SHA1 hash:
9a5ff4f8ee17f3df850985bc4808dafcdf055b7d
Link:
https://www.unpac.me/results/b45fd455-f2ee-4eae-9fc7-9de0908e878e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b036689623b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849999/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211213/

Comments