MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4
SHA3-384 hash: c4cce6982326abc7aa2d0eb5a7d27c86b8b4a00775f7de56897b0bd7bcf2d99a8213c744aa05fa9a516eb57b517ef25d
SHA1 hash: 4564937b40876d5b434482a0c500e10749d0feec
MD5 hash: 13ef89bcbe745d2001d63e3023ff07ca
humanhash: enemy-mango-saturn-low
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'190'080 bytes
First seen:2022-09-23 21:31:21 UTC
Last seen:2022-09-24 01:17:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20f4d01ae21b0e6cb121dec5155dae62 (3 x RedLineStealer)
ssdeep 98304:VZVzWbiq2R3pD5I3HqicYASjuYlyc1FqcACfXzwT7vrVaJhD56fKPY3DJoF39oD8:VZcrW54HVFZFrFHrfXIrrVaJjLkY3Qow
Threatray 71 similar samples on MalwareBazaar
TLSH T169562363036A0149F1F9CC7CD1377EF435F617675B41AC3869AAACC12A229A5F213E63
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc594260791_643201878?hash=eiQb5ay3mvIpKA8nVViE7sJJWISE4hTI1DARpRJG0KH&dl=GU4TIMRWGA3TSMI:1663963245:3Ug2lpqUOM2mhhCH5nXa0RsQRRz1vEseTwWj3ckKFeP&api=1&no_preview=1#aegan143

Intelligence

File Origin
# of uploads :
3
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
http://hardlyfind.com/viewpoints/funders.c3VwZXIgcG9zZSBib29rIGZyZWUgZG93bmxvYWQc3V/lazkao/malaria/ZG93bmxvYWR8Q045YTNBNVlueDhNVFkxT1RJM01EWTNPSHg4TWpVNU4zeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYlVFOVRWRjA?transporting=&predictive=raymer
Verdict:
Malicious activity
Analysis date:
2022-09-23 23:17:03 UTC
Tags:
evasion trojan socelars stealer opendir loader rat redline ransomware stop raccoon recordbreaker
Link:
https://app.any.run/tasks/abea36d6-0e52-4fe8-8efb-6db819610607

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312677/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.28378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the system32 subdirectories
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38620/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/632e2614865ed83c012098ed/reports/c921a372-94a0-4241-9977-58b787afac9e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7327b303-b55b-476b-97a6-797d1b90f242
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076161
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 21:32:18 UTC
File Type:
PE (Exe)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2paitpbwbigpypojt6y4uz53tuyvgcchiwxahqzr7eamqhqgksa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
RedLineStealer
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RedLineStealer
595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
RedLineStealer
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
RedLineStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RedLineStealer
b97aabb7096844d6df6ab9ff06ddc892fd368002543ae0aa36e9a673d0b2236a
RedLineStealer
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RedLineStealer
ef7f2a5348c23351c26390a636b47d35b3e236c47017e1ed95c112a87b783cf0
RedLineStealer
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
RedLineStealer
+ 61 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:3kpess infostealer spyware
Link:
https://tria.ge/reports/220923-1dl2cshhf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
151.80.89.227:45878
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b486ebc-f421-46dd-b4ca-6cbf67eb41e9
Unpacked files
SH256 hash:
2fd7bcdc5b83045c26ebc847979ec3bc22f6a63404f6a90de39fae793804b75a
MD5 hash:
27e4d81d8120fab1b01cadb20ca0c3de
SHA1 hash:
e8b0437d124d1a571a633b8a22f071fac1771df6
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/081b0373-9d9e-485d-94d2-03f3a61eb459/
SH256 hash:
ccdda743782bc09eb38fddcd6f9c5be45ca965a360ef7b27049e7163cdb68fba
MD5 hash:
5dc1d2096f98c99cff113da2b1eb23b6
SHA1 hash:
28503f28cb57c4e73a1f52a13b901b62fb00ac79
Link:
https://www.unpac.me/results/081b0373-9d9e-485d-94d2-03f3a61eb459/
SH256 hash:
8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4
MD5 hash:
13ef89bcbe745d2001d63e3023ff07ca
SHA1 hash:
4564937b40876d5b434482a0c500e10749d0feec
Link:
https://www.unpac.me/results/081b0373-9d9e-485d-94d2-03f3a61eb459/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e9e044de1b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/312677/

Comments