MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e62fa9bee31b3884ed681ecd50d1fa31f0a9d889b16ff0b980ac4686f9b288f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 8 File information Comments

SHA256 hash:	8e62fa9bee31b3884ed681ecd50d1fa31f0a9d889b16ff0b980ac4686f9b288f
SHA3-384 hash:	7bb2b037116c18a3a9fee6be2dae42d2962701e6caa674fc3913d4d577ba5395674096ab1275540e233143874bb9d6be
SHA1 hash:	c69df5fdbfd7775bf3fafc317a38d341db975d50
MD5 hash:	9a2c76b67399e5933277c6b9d39048fc
humanhash:	jersey-monkey-lima-july
File name:	SecuriteInfo.com.W32.AIDetectNet.01.32611.41
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	523'776 bytes
First seen:	2022-05-25 03:39:05 UTC
Last seen:	2022-05-25 13:39:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:FY+EuKeQ0GZFFMRNal+04aQNAH5f9wd0wZ/wBzliAjwZ5p:C+Eu1RNG+04jNm6d0wUiLZj
Threatray	2'363 similar samples on MalwareBazaar
TLSH	T101B412495798536AD2789FF07D34503403B3B149A855E38CEFCA70EBACF27489872A97
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
2.56.59.101:17559	https://threatfox.abuse.ch/ioc/631971/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.32611.41

Verdict:

Malicious activity

Analysis date:

2022-05-25 04:28:40 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/aa8f9ed1-3285-463c-b65f-56be21ee1be5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274328/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/628da4e23ec49f83a6c94a23/reports/cf3e3ac4-c8bc-4046-94ca-a31d181fb6c2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5af3bb61-3dd9-4fee-a871-eb75db2c6b98

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1001230

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e62fa9bee31b3884ed681ecd50d1fa31f0a9d889b16ff0b980ac4686f9b288f/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2022-05-25 04:10:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzrpvg7oggzyqtwwqhwnkdi7umpqvhmitmlp6c4yblcgq343fchq._file

Verdict:

malicious

RedLineStealer

65e6a581a3dd50afb748c094d5b260619c5833404c8b2663b0210c9027e513d1

RedLineStealer

aa6c6857fc19eb3a065790affae85831a29b44173bf021355e61522cbc5d4d53

RedLineStealer

b0d6b2cec2929e32f2c8b1ac138fa95e3d2364c9e8020b929983c212e51aa6f0

RedLineStealer

c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0

RedLineStealer

c5977cd65e2e24ea203eaf3dd8742f4827beda5568bfe0f742461e795acc0396

RedLineStealer

d71cf7a62479b0575847eeafd4acf947866a82dba4614ea9cd9493a8f59a85b3

RedLineStealer

db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f

RedLineStealer

db19f1bef553dda6b33f8e792dc85c8bb8098826ecc41afe9be84ac3d73f7b33

RedLineStealer

+ 2'353 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:xxl discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220525-d7pb9agcg2/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

2.56.59.101:17559

Unpacked files

SH256 hash:

961b3744dc87436fd619b363b56b06afe91603b972b910c3b633baef8f4d6a88

MD5 hash:

ee7ccc2980e9c8c36b82ece81a148318

SHA1 hash:

ca04b734c01b95dd860dee909e6fb3f79fd0182b

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

SH256 hash:

c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2

MD5 hash:

86f922d84e1b89f646bc23cb3d878a9c

SHA1 hash:

b61f4401c1a144d704988cf4e55dd9a71f8d8263

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

SH256 hash:

0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e

MD5 hash:

abcf7824b477074db7ac154a80d1e329

SHA1 hash:

9c6982829bff318776560846de7bcc39d3c16f7f

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

SH256 hash:

7f891ead95d3ba966c518507dfa2b1db8ad8e8b1e36c097115e5a6ea5bbb3aa4

MD5 hash:

26015b769236b3673928bca58a989e70

SHA1 hash:

2476ecdfe8c0c3f98ddb6385447e48000fabefa1

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

SH256 hash:

655d2e2c537e58d55405bdc9fa2fcaf94a484bd0eed1a22fe529091c4d8d5937

MD5 hash:

ed35fb67ae9e0ab4eded8e680cb4f875

SHA1 hash:

036cc9ac9134e0910d1e6007f2a8e22c4887e650

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

SH256 hash:

8e62fa9bee31b3884ed681ecd50d1fa31f0a9d889b16ff0b980ac4686f9b288f

MD5 hash:

9a2c76b67399e5933277c6b9d39048fc

SHA1 hash:

c69df5fdbfd7775bf3fafc317a38d341db975d50

Link:

https://www.unpac.me/results/81aab124-d57d-49dc-b57b-fda1d1eebfbe/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e62fa9bee31/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e62fa9bee31b3884ed681ecd50d1fa31f0a9d889b16ff0b980ac4686f9b288f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274328/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample