MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30
SHA3-384 hash: 0e1093351bc4768f9a8af01eb066a2e4726dd5e30c51271b2b8bcedf635661b06a5f267d6869a9dff6e4ddc0d55215e8
SHA1 hash: 63a0e512d662d23e51e7b484999e665e1e53a8d6
MD5 hash: bd3d7817cf0eff2263b6bdd090d88ffe
humanhash: romeo-twelve-glucose-king
File name:Trainer v22.3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'123'598 bytes
First seen:2021-06-16 09:20:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:J9btxEOIIZW41aqRSsiiE9CLfSsqUckSz/bfrBRqjwXfZ:JNNIITPIuEuSsjQ9sMXR
Threatray 254 similar samples on MalwareBazaar
TLSH 98351222F597E477C893F231344EE66409696D2F2B315AC77760FE1B09F06C18A6C2B9
Reporter ShinigamiOwl
Tags:exe RedLineStealer


Avatar
ShinigamiOwl
https://www.youtube.com/channel/UCJ-ZUDOQE4MXPQUk5EqeONA

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.228.152:54641 https://threatfox.abuse.ch/ioc/130834/

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trainer v22.3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 09:24:19 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/e74135e3-055c-40ae-9fe9-eea26465645e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Backdoor.Agent.Win32.80093.30955.12989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Deleting a recently created file
DNS request
Sending a UDP request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecd366bc-9a85-4210-baf3-2ff41f57e90a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/802889
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435300 Sample: Trainer v22.3.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 92 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected RedLine Stealer 2->49 51 2 other signatures 2->51 10 Trainer v22.3.exe 7 2->10         started        process3 process4 12 cmd.exe 1 10->12         started        signatures5 53 Submitted sample is a known malware sample 12->53 55 Obfuscated command line found 12->55 57 Uses ping.exe to sleep 12->57 59 Uses ping.exe to check the status of other devices and networks 12->59 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process6 signatures7 65 Obfuscated command line found 15->65 67 Uses ping.exe to sleep 15->67 20 Nei.exe.com 15->20         started        22 PING.EXE 1 15->22         started        25 findstr.exe 1 15->25         started        process8 dnsIp9 28 Nei.exe.com 1 20->28         started        39 127.0.0.1 unknown unknown 22->39 41 192.168.2.1 unknown unknown 22->41 35 C:\Users\user\AppData\Local\...35ei.exe.com, Targa 25->35 dropped file10 process11 dnsIp12 43 iwADuTsRcGhYtIhcsuYF.iwADuTsRcGhYtIhcsuYF 28->43 37 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 28->37 dropped 61 Writes to foreign memory regions 28->61 63 Injects a PE file into a foreign processes 28->63 33 RegAsm.exe 28->33         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 00:41:13 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rz2z7lichpy33lvutvdqlnlk7cvwal7y4ruxjmp64i2akawhviya._file
Verdict:
suspicious
Similar samples:
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
RedLineStealer
261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
RedLineStealer
a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b
RedLineStealer
acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4
RedLineStealer
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
RedLineStealer
f4a40d6bf3a266e83bbeb76bd3c865b8c3e925a16f890d107356c62563de3f33
RedLineStealer
+ 244 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210616-q1p2rc1376/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
7378ea1203b688de387fe518d538e41b446e15dd43200fd7596f79e8acf37da9
MD5 hash:
e1a6807ac3fdf067b6641df09ace446d
SHA1 hash:
92efa16d02c07c6860b6a358d80d4fde0516ac84
Link:
https://www.unpac.me/results/382736ea-3baf-4667-a9f5-6e93e76d652c/
SH256 hash:
859cfbefedf3778b1befc1b31759dc33c3ab367d80007e52921164d5afacf2af
MD5 hash:
be97322d719682b638064b6966b4e164
SHA1 hash:
1db488b4f7f854dc4d0e09b71624122c93b0647b
Link:
https://www.unpac.me/results/382736ea-3baf-4667-a9f5-6e93e76d652c/
SH256 hash:
8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30
MD5 hash:
bd3d7817cf0eff2263b6bdd090d88ffe
SHA1 hash:
63a0e512d662d23e51e7b484999e665e1e53a8d6
Link:
https://www.unpac.me/results/382736ea-3baf-4667-a9f5-6e93e76d652c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8e759fad023bf1bdaeb49d4705b56af8ab602ff8e46974b1fee2340502c7aa30

(this sample)

  
Delivery method
Distributed via web download

Comments