MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 4 File information Comments

SHA256 hash:	8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f
SHA3-384 hash:	982d8090a46b5a522c51a450ff2de2209eda24c814f82df011b47b521880bd2c096b15eda434cfbc0e22174c343f2418
SHA1 hash:	e5817ba0b2165839370d295db866ac1a35187634
MD5 hash:	38299ac520e112d4d31ca74b5b9a7f89
humanhash:	colorado-robert-robert-xray
File name:	38299ac520e112d4d31ca74b5b9a7f89.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'884'672 bytes
First seen:	2022-05-11 01:21:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep	49152:eO52SeihkR7GGm/3Fk0L2G3V/Xmjwu3nJYp0PP:eOESeihkR7GZfF/Lx/FyJYuX
Threatray	96 similar samples on MalwareBazaar
TLSH	T1C295BEE38302120BF262F439801E9D6DB9B20B3157CFB87767899EE9931B2D0556DB53
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4505/5/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.217.225.59:40037

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.217.225.59:40037	https://threatfox.abuse.ch/ioc/549390/

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

38299ac520e112d4d31ca74b5b9a7f89.exe

Verdict:

Malicious activity

Analysis date:

2022-05-11 01:23:01 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0d11f1be-423b-4288-95a6-e8c43f518130

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/269575/

Detection(s):

Win.Packed.Sabsik-9948912-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Modifying an executable file

Creating a process with a hidden window

DNS request

Sending an HTTP GET request

Stealing user critical data

Query of malicious DNS domain

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17070/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/627b0fcfbd5c76586e2b7c36/reports/df276e34-890a-4b80-ba7a-fb019919c098/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11f3d53e-3ee8-4e6f-986c-1e0dfec3801e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/991571

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-05-08 03:56:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 41 (75.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzuretxpmdr72ng7tnj3shcsn2geweqnbzll7blfbabwf53hfbhq._file

Verdict:

malicious

RedLineStealer

22facef9a36ba3773faec91556d9cd08338de697efeb268c88698cfbc3668347

RedLineStealer

26dde4b7d7de752c625f0144190ab3f7a265d9f140d0d81e6751e56ebd5affc6

RedLineStealer

2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e

RedLineStealer

5f6abb45e898b5fa648c3ce4e8d291b98ed0c84fa6597952ddfd35e4d7c2c6f2

RedLineStealer

b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3

RedLineStealer

+ 86 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer persistence spyware

Link:

https://tria.ge/reports/220511-bq8nfsehem/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.217.225.59:40037

Unpacked files

SH256 hash:

dff26c45911b58ce30d45c052ca29792612ae549baf60f42b85b1b6549f7cb53

MD5 hash:

b39af2dfab7015d381b9c672c7e4a896

SHA1 hash:

403e96559f0a05e15f0d9c5a370ffe859a183d97

Link:

https://www.unpac.me/results/c4a858bf-229b-43b5-9ed8-fd379a261f64/

SH256 hash:

8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f

MD5 hash:

38299ac520e112d4d31ca74b5b9a7f89

SHA1 hash:

e5817ba0b2165839370d295db866ac1a35187634

Link:

https://www.unpac.me/results/c4a858bf-229b-43b5-9ed8-fd379a261f64/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e69124eef60/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/8e69124eef60e3fd34df9b53b91c526e8c4b120d0e56bf8565080362f767284f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269575/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample