MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f
SHA3-384 hash: 43a41ca2faeb46e79af59bf26e2c733e233d49388461a381b92ff13b7da0e7025de090b6183c24342fff3098ca74675b
SHA1 hash: 3cec5ae501f0d439a75c9ea1e74989d4fbd5d9ec
MD5 hash: d11952cce9c0e9a38a52fbf887e96681
humanhash: purple-wolfram-eighteen-hydrogen
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:545'792 bytes
First seen:2024-09-10 11:50:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:xh1Lk70Tnvjc+2Pn9TU+4F08bi164ifw5e7J:tk70Trc+2P9TU+4F08W1biw+
Threatray 2'200 similar samples on MalwareBazaar
TLSH T19EC4AE00B940C5B3C8390930E4B7D5F02A363C5AD75A299BB1EDBF6FBA72391572B149
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 6575696149494549 (5 x RedLineStealer)
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/revada/66e014584fcee_w2.exe#ww2metakis

Intelligence

File Origin
# of uploads :
1
# of downloads :
480
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-10 11:52:24 UTC
Tags:
stealer metastealer
Link:
https://app.any.run/tasks/0d2842b5-988e-4b77-b58c-8160442169ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e032a876bc4542b0495572
Tags:
Infostealer Static Stealth Redline
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc redline redline
Link:
https://www.filescan.io/uploads/66e032a77fd554a24b9bcf4b/reports/3570fda5-bc6e-44f2-8d40-fa6a26f577ea/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cda9e3ea-29cd-4b7b-baf9-d2bdadc7375c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1508614
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the System eventlog
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-10 11:51:08 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp4fdri2ogqztaszft62u5wf5inprzed32e2etcolyijlktxc47q._file
Verdict:
malicious
Similar samples:
1c47603c095d30407222513fe1349e29393b1dccf07db80e99435c90734d8752
RedLineStealer
422bb8e1eda6699de64f37d75816ae1102d44262465f38f5817c63a6c2eab9cc
RedLineStealer
49c778c9ed27cedf53650fd6c8e10c9418b0ae8dc973f8a22b9fab35a6918a7c
RedLineStealer
4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d
RedLineStealer
6f015d2ecc877fdc3d3afec3e0172b3d1c01f5a0a723c7c66780bb2ce6ef5290
RedLineStealer
992f526d307b41f221d7a7942e769095150236302e9825ba57323094767e70aa
RedLineStealer
9d314f7bb979238d429d772e28d7a679fd4391db5d3581666a7f4207061be785
RedLineStealer
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
RedLineStealer
ee2b8e861b9b55428d9e877f09be20ec266a089df2fcd3db55514095e061373c
RedLineStealer
+ 2'190 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline credential_access discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240910-nz5z5ssfmk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
RedLine
RedLine payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8fa9d38f-9048-4e13-95c4-c93eef238127
Unpacked files
SH256 hash:
08c7dce800f888c7a391d40ccc48fa02fcd5c265715b55df47f69d9b3a9603d4
MD5 hash:
ca454db79ab0d145b90987e9fa78a397
SHA1 hash:
e65cac39042eb7bf6d2bca78ff0cfe4dd550d025
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/d350fbf7-2609-4be9-8e98-a50e0fb35d38/
SH256 hash:
9cab9c69eea091ece8e9c31611b41e2a4729d7ed33aa94f35b0b623e615a1bd2
MD5 hash:
685dffd8e575e117ea11b2958dfcdd14
SHA1 hash:
d1e6c94b6f3198f83ac5a3527ba9d0fb9618fa64
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/d350fbf7-2609-4be9-8e98-a50e0fb35d38/
SH256 hash:
8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f
MD5 hash:
d11952cce9c0e9a38a52fbf887e96681
SHA1 hash:
3cec5ae501f0d439a75c9ea1e74989d4fbd5d9ec
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d350fbf7-2609-4be9-8e98-a50e0fb35d38/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bf851c51a71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8bf851c51a71a19982592cfdaa76c5ea1af8e483de89a24c4e5e1095aa77173f

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3165503/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments