MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d
SHA3-384 hash: e5c46432f2235651124a3a3b82407ef96a7a2f72ab91a16da52f90aa71dde769cd55b1d0b27c0497b914bd0e16bf5029
SHA1 hash: 3a47ed4c0c28c2265778f769fb02eda55b031d41
MD5 hash: 960d3ae734d43e16abda0d17651d0351
humanhash: autumn-tango-december-alaska
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'992 bytes
First seen:2022-12-17 08:36:12 UTC
Last seen:2022-12-17 08:40:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e6bd3d9b5d23304bda5e80b81c28964e (28 x RedLineStealer, 24 x Smoke Loader, 11 x Tofsee)
ssdeep 6144:ON3Ld5z9CNbQtCJNW/BvZ0HdJM6YjE6ojrfvf1Z1ifNHsZXHcT2gz5z40M2b:Oh5h0VHOX0HdWQZrf/k08TT
TLSH T12674E0F12791E63EC153D3308C24E6A4A666A8205E7285F33B156A6F0D702D169FF37E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acefecee6eae6 (50 x Smoke Loader, 41 x Amadey, 12 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://31.41.244.228/fusa/bibar.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-17 08:36:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/9d30dac0-becd-4152-b821-fa4e39e49c5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347267/
Detection(s):
Win.Packed.Pwsx-9980703-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/639d7fae14574de090f5de06/reports/e33e8ed1-7e5a-4a65-a4b2-93a244832066/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c0c7aed-b7ec-47bf-baba-255839a6a5ee
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136498
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2022-12-17 08:37:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrdr2uiqfkgt4turzxzx5wctzux6uvnmi3dsnk747v7vz35pdr6q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:joker discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221217-kh5q9sbc7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.186:4083
Unpacked files
SH256 hash:
437bfd86f9f6697c4fc78f0773cdb11ab36487bdefa4b96e8d088e434b663c66
MD5 hash:
000a10a9562c877bd220daf8f4ee9c50
SHA1 hash:
cfe5a81510bbb11322bc3e4026df0b5ff2980b5b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3d409a05-70cf-429b-8ad4-dcba49616375/
Parent samples :
5096b174c14339613dc84c7d4bccc198674d271f1e2c37062053e5db7cce6efe
8d5a455600426642f42fc17b99441f256d1be5adadff703a9239724c4c0359c2
54d53c15f9802c73bfdc170ce3b557463d69ac4c4df5c2c8b07c382affcd973a
83c9b03b8c8eaaceeaa9e533f3739dc4fbf6fc6765a16a5f148b9fd300fa4f5d
6e3d680e4fb46b2dd85199adf34027182194476a73cb8900857ec3119d3a6224
c3f645b7080285e3ecc3af56997291f5fb0a71226228ed6383d93d1d2c88b998
bd3c521354c5d4a26cb7e9491fcbf31e7f1a8b04b6461dde4125857ad354a822
af57c338c06e815d3a1f968c01cd97819a78baa425f639018a36068dfb77385f
2b1e02bc1044114394a841891bc12e0ead18778bface5a881447fccff474e8ca
6efc00b1dbc4d88dc9b1398d5e61b97704c4eb0809ed8200a214df81ce279393
8451facb92dc87767cdbd2e4147220df7b52b4227cd029d46859884027428b1d
8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d
3a5c194e21ce7ebe7324f788670445369a7b16a72ede83e3309c14465da9fd0f
bee3fc4429805572f23814880e79ef898701e425eb3961d6c7f579ef7644203d
de615fd7c48cdd7fa8ede274c56609fae7dda9073de1060c20e5492022e6355f
c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
0ef81859235c6eda1ae50470680870c9269760a763706a8df2236eaf4a4c89ba
SH256 hash:
96b6eda3aaa5a1e411ecb353de8f1b1a30873551885064c097c2543df43603ad
MD5 hash:
503c3a3d8cc57de51144ab749373a7fa
SHA1 hash:
6f6350e7ec826c7a51d0d431abbec854cf8245f6
Link:
https://www.unpac.me/results/3d409a05-70cf-429b-8ad4-dcba49616375/
SH256 hash:
7349f65e0f04b50285a6531194a4e5f64a2d6fec6388efaef305685b0100b565
MD5 hash:
95ceda8d6d147ed1738cd24a1d3d9cc1
SHA1 hash:
0a94c61fe3a992f3a8be3fb2c3f8e23931a46277
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3d409a05-70cf-429b-8ad4-dcba49616375/
Parent samples :
9690e6debc1e6c45d178292fa0dcf2d606b0f29f0152a525dd3bd55a1eb63390
227893c1a7e7190c87570a0f06d4b9eb19521aa9e905f65cb16652d559ce74dd
5096b174c14339613dc84c7d4bccc198674d271f1e2c37062053e5db7cce6efe
8d5a455600426642f42fc17b99441f256d1be5adadff703a9239724c4c0359c2
54d53c15f9802c73bfdc170ce3b557463d69ac4c4df5c2c8b07c382affcd973a
fd61726ec48ddfbe4a0c7fd1b36a84ef3e1e9d2c723cc77010eed2f287d50d0d
80945e53dbad9370ce555fe15b41531f0283bc5524161184911aa7dad175a95c
283455ddb0a8d49953b746848056b0cc3ca329fdadb93b0ac77aafdeb7e98ffb
de391649878b1eb9c9e25c07774553e6dd8f63200d5bb536e12b61ee2f9ecffa
5b6939d654df48fbd42bcf7f6895ff9fc500937d66101a5ee26c60936a628c36
83c9b03b8c8eaaceeaa9e533f3739dc4fbf6fc6765a16a5f148b9fd300fa4f5d
6e3d680e4fb46b2dd85199adf34027182194476a73cb8900857ec3119d3a6224
d4c6994139ee7f5f5d350961e790a3ef6ac12ff616e3b7250d5e20645b7d3bd0
ecb11fb7674c43e67de8b277d8fe7ee84e53a609e43b6c5f9d74ccf4d3ad0484
ecdbfd180350ff6bb51400dafc6cef118adffe573b4ac62c6f1cca508846ea88
c3f645b7080285e3ecc3af56997291f5fb0a71226228ed6383d93d1d2c88b998
bd3c521354c5d4a26cb7e9491fcbf31e7f1a8b04b6461dde4125857ad354a822
af57c338c06e815d3a1f968c01cd97819a78baa425f639018a36068dfb77385f
fdfa5fe238a7df771bb8a4088adc0d7469d72c474d76e086776c8a056d37c3a7
f09cf13257c42624bd920b6dd62e2d2782b1b604981f7d7af78fa363f36d7d12
2b2c127b6b014d6708957001214c53a8fecab3439f1f1c10ef0cc01e64407061
2b1e02bc1044114394a841891bc12e0ead18778bface5a881447fccff474e8ca
6efc00b1dbc4d88dc9b1398d5e61b97704c4eb0809ed8200a214df81ce279393
8451facb92dc87767cdbd2e4147220df7b52b4227cd029d46859884027428b1d
8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d
c1b855214d270d0e0971ecd59aae41918af759ae8016c47fffb8b5ed1cbef70a
888c0f519f328836307795e7cb7759e9c01ccffa183cfc7977a5c6b06a01d969
3a5c194e21ce7ebe7324f788670445369a7b16a72ede83e3309c14465da9fd0f
bee3fc4429805572f23814880e79ef898701e425eb3961d6c7f579ef7644203d
de615fd7c48cdd7fa8ede274c56609fae7dda9073de1060c20e5492022e6355f
388e543df32dc4b611d8d2b15e6526ea246f8057fd4e0c363d97ef9b8b9f2a8e
c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
0ef81859235c6eda1ae50470680870c9269760a763706a8df2236eaf4a4c89ba
SH256 hash:
8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d
MD5 hash:
960d3ae734d43e16abda0d17651d0351
SHA1 hash:
3a47ed4c0c28c2265778f769fb02eda55b031d41
Link:
https://www.unpac.me/results/3d409a05-70cf-429b-8ad4-dcba49616375/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c471d51102a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c471d51102a8d3e4e91cdf37ed853cd2fea55ac46c726abfcfd7f5cefaf1c7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/347267/

Comments