MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285
SHA3-384 hash: 642c084b4e8afc9b0bbcf58fb11c092504a9902dfea40b5700ab60ccd31918bd5c3cebcf658f51cd486884d760a32660
SHA1 hash: 4b309de5145000cb7c30ef5f9c4e5d5ec92a3371
MD5 hash: fd11c29ea49dd7685e7e2e902f52f7c0
humanhash: finch-finch-skylark-montana
File name:fd11c29ea49dd7685e7e2e902f52f7c0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:438'272 bytes
First seen:2021-12-01 22:09:03 UTC
Last seen:2021-12-02 00:50:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad1f616fc468bd147c554b5a184b3c44 (2 x Amadey, 2 x Smoke Loader, 2 x RedLineStealer)
ssdeep 6144:c0foFT4kCoysFv8+OlJlHUGRJI5Y380LreEMizHQp+Ze80R7pdK5hPYQ3/Prh/o:xxEUHHlL4qxrpMGHQp+Ze80R65hPY3
Threatray 3'681 similar samples on MalwareBazaar
TLSH T12294BE10E7A0D035F5F712F88AB59378A92E7EA16B34A0CF53D416EA4674AE1EC31317
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-12-01 20:59:35 UTC
Tags:
trojan rat redline evasion loader opendir stealer
Link:
https://app.any.run/tasks/575d7399-2219-41f8-8f1e-15039a1c8d83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210476/
Detection(s):
SecuriteInfo.com.Packed-GDVFD11C29EA49D.8862.19798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/476/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a7f2be707a51cfe28a3c03/reports/6dc6194d-fd86-4703-9ce4-f3fc06bf8493/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03843294-9e32-499b-b088-2a1f3ba9ba22
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899797
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 22:10:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzcjrxs6cbxosf365pgd45m23ifkp3eis24bcpa433xpcxtg6kcq._file
Verdict:
malicious
Similar samples:
1c9280c4101e0bcdd266eeda804e61f07bfd5a2a08117077abf7ef63ae8347b6
RedLineStealer
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112
RedLineStealer
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
RedLineStealer
a769514eb7d1363570d3e05161e8e51485ad353464f142bdd94a854cd2e93d50
RedLineStealer
d1439d1a3c8bd8495a07ea2d22e4480b7cd837deb3b6c5576e98592de7f67996
RedLineStealer
d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
RedLineStealer
f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8
RedLineStealer
+ 3'671 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix02.12 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211201-12tq4sgdbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:21508
Unpacked files
SH256 hash:
804462afc338b92ce7beafcacd3edc8e6362df0764e5092f2662f82e2698f04e
MD5 hash:
3aaf2ee0d2b279bb742cc884f28d5606
SHA1 hash:
af69f0c885ddb0ad986e22063cb3a3bc4b7e121f
Link:
https://www.unpac.me/results/93869b5a-fcbb-48ed-9d5d-188715c1bdd4/
SH256 hash:
d80ec6beef8b95b8fa83bdf287d94f4a2621dbb27d1b4da0745977c77ecab60d
MD5 hash:
bbdc313befe492770494ee63249be495
SHA1 hash:
a0f7bd414414b0996528a491d18a3740edfac4a1
Link:
https://www.unpac.me/results/93869b5a-fcbb-48ed-9d5d-188715c1bdd4/
SH256 hash:
20f57c900a20fc2c49dc210bfca6a9252d0e18c8df35d6616301fc90ebac698b
MD5 hash:
196fcab051413ca257cd57bab98e6b0b
SHA1 hash:
8ba6d72d298cccce853b944911e6a07a1bc9bc06
Link:
https://www.unpac.me/results/93869b5a-fcbb-48ed-9d5d-188715c1bdd4/
SH256 hash:
8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285
MD5 hash:
fd11c29ea49dd7685e7e2e902f52f7c0
SHA1 hash:
4b309de5145000cb7c30ef5f9c4e5d5ec92a3371
Link:
https://www.unpac.me/results/93869b5a-fcbb-48ed-9d5d-188715c1bdd4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8e4498de5e10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8e4498de5e106ee9177eebcc3e759ada0aa7ec8896b8113c1cdeeef15e66f285

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210476/
  
URLhaus
https://urlhaus.abuse.ch/url/1843001/

Comments


Avatar
zbet commented on 2021-12-01 22:09:05 UTC

url : hxxp://neofunkyjunky.com/work/mix.exe