MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43
SHA3-384 hash: 9dcbb175974afc3f437f99414e7d0579f595c7d7a3f5d437ca4f8958cd836bd3641499d7f8571f3ed382a4e2b4959943
SHA1 hash: f7a22058ca233ad6685af822a209598b6413b5d7
MD5 hash: 2f84afead84a3699cb870693b05c308c
humanhash: nineteen-fish-arizona-juliet
File name:2f84afead84a3699cb870693b05c308c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:256'512 bytes
First seen:2022-04-07 17:55:16 UTC
Last seen:2022-04-07 18:34:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ead537e66fd31bca123a6ae9ea592fed (1 x RedLineStealer)
ssdeep 6144:43Rp8r44IyJSnxHMZyizFb3wje3wURPmv:4szIyonxsgizFH3wURPmv
Threatray 6'701 similar samples on MalwareBazaar
TLSH T1FC44AE553BAAA073ECE2FB317518B6604439BC164FBDB913129036653E333A1A73BC59
File icon (PE):PE icon
dhash icon 686eeee2b292c6ec (6 x njrat, 3 x RedLineStealer, 2 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2f84afead84a3699cb870693b05c308c
Verdict:
Malicious activity
Analysis date:
2022-04-07 18:01:36 UTC
Tags:
evasion redline trojan
Link:
https://app.any.run/tasks/a0bdf4c0-8200-4066-b3f0-36fcd3473f3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261787/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.46772.30072.23151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13021/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/624f25c4d53a7479dad11ea1/reports/100b609d-beee-4543-bf6e-53590ca9e6ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ee89505-b4ac-4fde-85f6-39632ba3e582
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972645
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605132 Sample: DwogEo02SP Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 9 other signatures 2->59 8 DwogEo02SP.exe 3 2->8         started        process3 file4 31 C:\Users\Public\yuMBYoKlosa.exe, PE32 8->31 dropped 33 C:\Users\Public\ZH0OUCCaah2.exe, PE32 8->33 dropped 63 Drops PE files to the user root directory 8->63 12 yuMBYoKlosa.exe 14 7 8->12         started        17 ZH0OUCCaah2.exe 2 8->17         started        signatures5 process6 dnsIp7 45 ip-api.com 208.95.112.1, 49721, 49724, 80 TUT-ASUS United States 12->45 47 checkip.eu-west-1.prod.check-ip.aws.a2z.com 18.202.70.8, 49720, 49723, 80 AMAZON-02US United States 12->47 51 2 other IPs or domains 12->51 35 C:\ProgramData\...\346ac59c.exe, PE32 12->35 dropped 37 C:\Users\user\AppData\...\tmp1174.tmp.bat, DOS 12->37 dropped 65 Multi AV Scanner detection for dropped file 12->65 67 May check the online IP address of the machine 12->67 69 Machine Learning detection for dropped file 12->69 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->71 19 cmd.exe 1 12->19         started        49 188.68.205.12, 20861 ITNET33RU Russian Federation 17->49 73 Antivirus detection for dropped file 17->73 file8 signatures9 process10 process11 21 reg.exe 1 19->21         started        24 346ac59c.exe 15 2 19->24         started        27 conhost.exe 19->27         started        29 timeout.exe 1 19->29         started        dnsIp12 61 Creates an undocumented autostart registry key 21->61 39 5.188.119.76, 49725, 80 SELECTELRU Russian Federation 24->39 41 192.168.2.1 unknown unknown 24->41 43 4 other IPs or domains 24->43 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 08:36:36 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
17ff4c8a93af2be37922b4066c819f3ee2f7055268e0a76deea4b832a1a2c2fa
RedLineStealer
482b3100cc58a2a46a4c3b5bf334a584dee6ebc00ddd810c98cd666a1e1877ac
RedLineStealer
a2556ce4f6a53ac6e63f597e9fe1671bc3d65d6b0b2af5ff3824a890f99cd9aa
RedLineStealer
ac149ae2a35a8c8942c0057ab6435aa2c1b7b69a30c3a2ef20d41615507656e2
RedLineStealer
bdb1a17dbb8fadb35bc79b7947eae76dcbece4789dce0195c240dd2ec70a942f
RedLineStealer
d048d1f750a42a6ec45af4ea95fa97161f5d69e178b5c8cd467ddb1bb2fd69a1
RedLineStealer
+ 6'691 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:111 infostealer
Link:
https://tria.ge/reports/220407-wh1m4afhgr/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
188.68.205.12:20861
Unpacked files
SH256 hash:
98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
MD5 hash:
c523d423234494eeb7b60a892d7a4bea
SHA1 hash:
db992908237ee2ab5c07f4362b9a29516ac09a5d
Link:
https://www.unpac.me/results/6e3919ae-02e5-4c8c-884f-50887bb6d062/
SH256 hash:
9ff2e6275d3d9e43de22d1acce77cb536cda79b86f6605a73312110b0e74e78b
MD5 hash:
00221a6351e7426f7e88c157373f9b80
SHA1 hash:
198c2862a7fe3f2e0ec0913cc877bdd5fb7f11c4
Link:
https://www.unpac.me/results/6e3919ae-02e5-4c8c-884f-50887bb6d062/
SH256 hash:
8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43
MD5 hash:
2f84afead84a3699cb870693b05c308c
SHA1 hash:
f7a22058ca233ad6685af822a209598b6413b5d7
Link:
https://www.unpac.me/results/6e3919ae-02e5-4c8c-884f-50887bb6d062/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2136123/
Cape
Cape
https://www.capesandbox.com/analysis/261787/

Comments


Avatar
zbet commented on 2022-04-07 17:55:19 UTC

url : hxxp://107.189.6.214/EMXRxpPi/1_KpCGvNj.exe