MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f6395ba8bc75356ab43438f8378a40925a6aeabc3c446a626a484c54cac51fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	8f6395ba8bc75356ab43438f8378a40925a6aeabc3c446a626a484c54cac51fe
SHA3-384 hash:	d96fab0b70b6e714906aefd8f6061d3ba12aa751dceb75ec26a156969d22323cc4d511fdd84197cb6ea45189299fccbb
SHA1 hash:	88feb4e71368b4163ab4a3afd6995211ed5fbcb1
MD5 hash:	5d059f6a5da9c90b000ffdff0ec71cae
humanhash:	mike-king-idaho-mirror
File name:	5d059f6a5da9c90b000ffdff0ec71cae.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	390'144 bytes
First seen:	2021-09-22 12:09:07 UTC
Last seen:	2021-09-22 13:40:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0f0c12643909b692a9be3510bdc965e8 (6 x RedLineStealer, 1 x Glupteba)
ssdeep	6144:R0CUuPW9d+jjFPYacga9PUWOJRDJFuqmLnq6ELLwUAE6dLfV16t:xUuPW9d+3FY9P6bDWrnql6dLVwt
Threatray	2'068 similar samples on MalwareBazaar
TLSH	T12684AE20BAE0C035F5F752F889B597A8A93E7EB15B3490CB62D126FA16342E4DC31357
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5d059f6a5da9c90b000ffdff0ec71cae.exe

Verdict:

Malicious activity

Analysis date:

2021-09-22 12:14:03 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/373dcded-c244-4fd3-8845-e71b8236bd82

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/190150/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.11024.26640.UNOFFICIAL

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd932ecc-a724-4096-a04d-84c9db99ddb5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/856022

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f6395ba8bc75356ab43438f8378a40925a6aeabc3c446a626a484c54cac51fe/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-22 12:09:12 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r5rzlouly5jvnk2diohyg6febes2nlvlypcenjrguscmktfmkh7a._file

Verdict:

malicious

RedLineStealer

1e1deef0a751a50e5afd6524e5c4e254f02936922e3d2da42e003546e761ec54

RedLineStealer

3f325a237265eac17786e79dab8fd11688d7022755982385b8ee17de035570d5

RedLineStealer

423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110

RedLineStealer

6ed0e0fc4fc180454a9ebb07cf9cebecdc7595bde25f883f0360e1fc5cde77a3

RedLineStealer

c2dd287121b9ecbd07a1f4ca65b433e2d56df56f360c7f2037d17845a9705f5e

RedLineStealer

+ 2'058 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:uts discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210922-pb2s9acea9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.20:13441

Unpacked files

SH256 hash:

0af5150a5c8f9a5f2678baf604a172626ed229efb82df96d7c358b27eb035b95

MD5 hash:

45b9ad483e9f5647e8f37dc8824d3831

SHA1 hash:

fe09a099996b14eea72674be9a9a6c5963cf7cb8

Link:

https://www.unpac.me/results/dfcc44a6-4913-49b8-8048-b72135ae89ab/

SH256 hash:

2fe3f6fc8b9b9f4d1bddc0e97ddd64229da2a069cf199bcd435d14a3e27e4e19

MD5 hash:

f0f9a9448f7a0494d9bf6e11694bfce0

SHA1 hash:

e3d5c8af3b294813b562fead751cc5c2f5c8a51c

Link:

https://www.unpac.me/results/dfcc44a6-4913-49b8-8048-b72135ae89ab/

SH256 hash:

9fd5a295d9c662d120e8d2688ac4b645c3f4390299e4649b8bf76172f6a66425

MD5 hash:

07e9d4478cddb490f89b0edb4842ab0e

SHA1 hash:

48ea47adc76e29fbb23f8c82c7d1b4761f3216fa

Link:

https://www.unpac.me/results/dfcc44a6-4913-49b8-8048-b72135ae89ab/

SH256 hash:

8f6395ba8bc75356ab43438f8378a40925a6aeabc3c446a626a484c54cac51fe

MD5 hash:

5d059f6a5da9c90b000ffdff0ec71cae

SHA1 hash:

88feb4e71368b4163ab4a3afd6995211ed5fbcb1

Link:

https://www.unpac.me/results/dfcc44a6-4913-49b8-8048-b72135ae89ab/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f6395ba8bc75356ab43438f8378a40925a6aeabc3c446a626a484c54cac51fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.