MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b695ab5bc7a0211cf2a2fc98445ce164ab30f637fad547fc3f130bd9f510da7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b695ab5bc7a0211cf2a2fc98445ce164ab30f637fad547fc3f130bd9f510da7
SHA3-384 hash: 725057ffab3256ae38151fab6ad94975fe2f4bc2e9390910d35b362b6d976f6197ab5da3f6c78a043628358b743f9948
SHA1 hash: 1823c364af98da9f2e2809e60c7e087b1908ce58
MD5 hash: a9f9190f0b9cdb660dbac86a547c9855
humanhash: table-bravo-juliet-tennessee
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:556'544 bytes
First seen:2022-11-11 05:35:38 UTC
Last seen:2022-11-11 12:37:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:fmBU3VZYBJqPltfU5oApQx9KkcbFoWygfEi40sJnR1V87:z3VZYiCSx91c5Vy2yN9R
Threatray 389 similar samples on MalwareBazaar
TLSH T153C42218B39C31EFC8C3C5BB9AE12D45C7E879737317D28BA8574173680E9609E851AB
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://193.106.191.22/MicrosoftKeys.exe

Intelligence

File Origin
# of uploads :
155
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-11 05:38:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/dfd4372a-60a9-4485-a9d8-5c28186b8888

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/332269/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636ddf444834ec1f25eed627/reports/d2817a2c-bb1b-464b-8cdb-0a770cc55709/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d038407-0eb5-467a-b775-cc88821e4df8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111012
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b695ab5bc7a0211cf2a2fc98445ce164ab30f637fad547fc3f130bd9f510da7/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 05:36:09 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnuvvnn4pibbdtzkf7eyirooczflgd3dp6wvi76d6eyl3h2rbwtq._file
Verdict:
malicious
Similar samples:
1ef6e9b0a57651cdb7753709e5482c1eed110a4ff7e8f3381d13b137a8be094b
RedLineStealer
35df805ad3805c9c2ea9840abf32c3f537d9a8f582fd38d7dfc34d8ade5ae925
RedLineStealer
4eea620a4808a85120a64ef027239738d81a960961c8d21071f8680f7b7379e0
RedLineStealer
7dfa267590515ca9e121b4ec618f1fbb988d8bcbdfa4ad27d1fd48a019707812
RedLineStealer
88ab1357fe12b53be4b4f143d3b82d6b0f8a5fe08d23a0c53f2f588f7d181d41
RedLineStealer
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
RedLineStealer
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
RedLineStealer
+ 379 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:neruzki discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221111-gak54sheb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.22:47242
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eda9e4fe-a0dd-4d82-b8dc-99e528b84281
Unpacked files
SH256 hash:
cb8ec5152bf94ff964d9c09c2361150c27373eb5f7b10448afa5e189af6e010e
MD5 hash:
eebd6ff94009a8f2997683ceae5b2379
SHA1 hash:
ec632e682298f7ba80c2e3afe03df3a86e583e90
Link:
https://www.unpac.me/results/1cc84b90-cdc2-4405-b51e-9da84f5aaae3/
SH256 hash:
3e30d9a2c29f9ee3c01ccefdb30e6273a1f2d44b9496a01a3c96f1ffda6abb77
MD5 hash:
63519565d7dd6d1da73f210761435a89
SHA1 hash:
31bc3f69b582afbe90891134a301263a7529d63a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1cc84b90-cdc2-4405-b51e-9da84f5aaae3/
SH256 hash:
8b695ab5bc7a0211cf2a2fc98445ce164ab30f637fad547fc3f130bd9f510da7
MD5 hash:
a9f9190f0b9cdb660dbac86a547c9855
SHA1 hash:
1823c364af98da9f2e2809e60c7e087b1908ce58
Link:
https://www.unpac.me/results/1cc84b90-cdc2-4405-b51e-9da84f5aaae3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b695ab5bc7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b695ab5bc7a0211cf2a2fc98445ce164ab30f637fad547fc3f130bd9f510da7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2396659/
Cape
Cape
https://www.capesandbox.com/analysis/332269/
  
URLhaus
https://urlhaus.abuse.ch/url/2405133/

Comments