MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
SHA3-384 hash: ed61f53aeab2ec80806a7bf7d8dbe31ef01bcf58c56f4485b4f1555a19b870d1b7650220a0c4becafcb9cc64aba71fbb
SHA1 hash: 51a86a74c011e0a6813b0058104f6b21765ed99c
MD5 hash: 078f90abfc1dddd108adcb85761689d0
humanhash: cardinal-butter-video-oxygen
File name:078f90abfc1dddd108adcb85761689d0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:302'080 bytes
First seen:2022-12-20 18:36:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 3072:rDKW1LgppLRHMY0TBfJvjcTp5XrxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOur:rDKW1Lgbdl0TBBvjc/BhYOcb55
Threatray 12'565 similar samples on MalwareBazaar
TLSH T1CB548D1035B0CD72C4B6203F89D68A255A2F28214B6A75D7B79B27ED5E307D1B2372CB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c883a69c94a683c8 (170 x RedLineStealer, 2 x QuasarRAT, 1 x N-W0rm)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
078f90abfc1dddd108adcb85761689d0
Verdict:
Malicious activity
Analysis date:
2022-12-20 18:37:42 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/fec91451-f572-4270-8988-b915e7b58897

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348480/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63a200cee6c3391f0f8fb684/reports/a1266503-bdce-468c-af48-f02ca20f08b3/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9d2e1c4-d8ab-44cd-b2fb-514c8c783bf4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1138182
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 18:37:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqvzwvjbrhbchfrepdhdgszpjyuvg34mm5z4diwbunt46h4re7eq._file
Verdict:
malicious
Similar samples:
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
476fe5184ee699040c67e6a1cf362c0532fabe25cd5b162f732fbd1cc02b47fd
RedLineStealer
690adc3179ac3706f31fc1acae2dce51011d1ccea5cf24cd73b8f49fa9e7ffc0
RedLineStealer
91791f09eeafec7c137dd6f43d990a6475510ee67a76474f20d1012c023727d3
RedLineStealer
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
c20ccf287acc446472287bc6f3370ade587831c6cc677e8ca1131005f9a89dfe
RedLineStealer
c85256fef5467ac50c978ef721ee7b93577df33ebed17b6e01249a37c3d9f38e
RedLineStealer
e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
RedLineStealer
f40d28a5ad690a3fa3fded93e6fae91bcf61f896871fff9b4687611c58c1dee2
RedLineStealer
+ 12'555 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:trud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221220-w9f3rsdg4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
65f75c671b35cbde3bc6a355f88bf821f74c8a082c9744480a59bbd72defe0c7
MD5 hash:
1904c9b0a20ab75b269c4a8f7d30dacc
SHA1 hash:
c1aecaaf9ff915be2950fcdaa149dc773d349630
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1a116002-4f30-43e1-b967-7c0c53035018/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
46229e0cb12020a35b50685fe5362b96c904c8eb7273c82b428581f3e97359de
MD5 hash:
bc6a96556d5bd384c225494896e016f2
SHA1 hash:
6db5fb667d0d4a3943c43785e2956c21bbb957ce
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1a116002-4f30-43e1-b967-7c0c53035018/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
SH256 hash:
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
MD5 hash:
078f90abfc1dddd108adcb85761689d0
SHA1 hash:
51a86a74c011e0a6813b0058104f6b21765ed99c
Link:
https://www.unpac.me/results/1a116002-4f30-43e1-b967-7c0c53035018/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c2b9b552189/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2476460/
Cape
Cape
https://www.capesandbox.com/analysis/348480/

Comments


Avatar
zbet commented on 2022-12-20 18:36:43 UTC

url : hxxp://31.41.244.228/true/trud.exe