MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
SHA3-384 hash: 216e442d24edb9bfb9fe9916bb38efdd015af36f9f6a46598327911b419c23f28259218a44a7e9c11dc20121a4f409a8
SHA1 hash: f5ea90ec6ad07f137c058ef2874dbd3a1b444f95
MD5 hash: 3a1085797ca3089008cb2b51d2fcdc84
humanhash: colorado-edward-march-black
File name:3a1085797ca3089008cb2b51d2fcdc84.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'168 bytes
First seen:2024-10-15 17:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:/XE4Ok4l62wHEdMzsxPcVLpePDX6kNjNMhZrDXrFcAFrikDriSprimri4zNt:/XEdhvNlc526iNMhZrD7RFlLppN
Threatray 2'708 similar samples on MalwareBazaar
TLSH T100E1D814D7E8523BEE7B1BB99C7757400A74F761DA039F2E38842147AC12B450A637B9
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
87.120.127.223:42128

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.127.223:42128 https://threatfox.abuse.ch/ioc/1336647/

Intelligence

File Origin
# of uploads :
1
# of downloads :
503
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
09d0e438a6a8666361559becb0359e5f
Verdict:
Malicious activity
Analysis date:
2024-10-14 17:13:25 UTC
Tags:
stealer redline evasion lefthook metastealer opendir loader rat asyncrat remote
Link:
https://app.any.run/tasks/c55c9402-8a8c-47ce-8cd0-afcc63908a03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.11407.4226.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670ea480707bcd8537fbccb0
Tags:
Powershell Infosteal Redline
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/670ea4803190377d57742236/reports/04395089-e1ed-43be-a099-d357e98408a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0c4a1937-3bb4-4ca4-873c-581baa3d5469
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1534363
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534363 Sample: 6RE1Z857ae.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 96 api.ip.sb 2->96 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 13 other signatures 2->114 10 6RE1Z857ae.exe 16 6 2->10         started        15 Adobe_Install_Updater.exe 2->15         started        17 Adobe_Install_Updater.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 98 87.120.127.223, 42128, 49704, 49705 UNACS-AS-BG8000BurgasBG Bulgaria 10->98 88 C:\Users\user\...\Adobe_Install_Updater.exe, PE32 10->88 dropped 90 C:\Users\user\AppData\Local\Temp\build.exe, PE32 10->90 dropped 92 Adobe_Install_Upda...exe:Zone.Identifier, ASCII 10->92 dropped 132 Found many strings related to Crypto-Wallets (likely being stolen) 10->132 134 Creates multiple autostart registry keys 10->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->136 21 build.exe 14 50 10->21         started        24 cmd.exe 1 10->24         started        33 2 other processes 10->33 138 Multi AV Scanner detection for dropped file 15->138 140 Writes to foreign memory regions 15->140 142 Allocates memory in foreign processes 15->142 26 InstallUtil.exe 15->26         started        35 2 other processes 15->35 144 Injects a PE file into a foreign processes 17->144 29 build.exe 17->29         started        31 InstallUtil.exe 17->31         started        37 2 other processes 17->37 39 6 other processes 19->39 file6 signatures7 process8 file9 116 Antivirus detection for dropped file 21->116 118 Multi AV Scanner detection for dropped file 21->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->120 130 2 other signatures 21->130 41 conhost.exe 21->41         started        122 Uses ipconfig to lookup or modify the Windows network settings 24->122 45 2 other processes 24->45 86 C:\Users\user\AppData\...\Plain_Checker.exe, PE32 26->86 dropped 124 Injects a PE file into a foreign processes 26->124 47 4 other processes 26->47 126 Tries to harvest and steal browser information (history, passwords, etc) 29->126 128 Tries to steal Crypto Currency Wallets 29->128 43 conhost.exe 29->43         started        51 3 other processes 31->51 53 2 other processes 33->53 55 4 other processes 35->55 57 4 other processes 37->57 59 8 other processes 39->59 signatures10 process11 file12 94 C:\Users\user\AppData\Roaming\Yftssfzf.exe, PE32 47->94 dropped 100 Multi AV Scanner detection for dropped file 47->100 102 Machine Learning detection for dropped file 47->102 104 Creates multiple autostart registry keys 47->104 106 2 other signatures 47->106 61 InstallUtil.exe 47->61         started        64 cmd.exe 47->64         started        66 cmd.exe 47->66         started        76 4 other processes 47->76 68 conhost.exe 51->68         started        70 ipconfig.exe 51->70         started        72 conhost.exe 51->72         started        74 ipconfig.exe 51->74         started        signatures13 process14 signatures15 146 Found many strings related to Crypto-Wallets (likely being stolen) 61->146 78 conhost.exe 64->78         started        80 ipconfig.exe 64->80         started        82 conhost.exe 66->82         started        84 ipconfig.exe 66->84         started        process16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-10-14 19:35:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7bcdn6i4p2s6iuedsdgz4gyilzkcjtopg2hejzxm3hbobchismq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
2a497d868db198a4c655016c3d9c1dacdd810e2aef8d8f15bf2051e15945e09d
RedLineStealer
415501cba527ef5e011fd0c180e45545b7602dc25d76a3d0752220f207861baf
RedLineStealer
61a37a732e866c611d6290793ee59f5016cca51f83629d78e97542324ef20f23
RedLineStealer
8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
RedLineStealer
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
RedLineStealer
c1a7adbef8fb6d94955cbae7dd0dd5c2778eb4cb45e56b73ccc772274bcb55da
RedLineStealer
cceaadb5aa4d335ca8ebd30919df8933bd7a493ffce6e298204859e1c0577114
RedLineStealer
cf5fa96f42120ec1a33fac86ac171e1fe669b05b2e35b51e2e24249650f9a2b8
RedLineStealer
error
RedLineStealer
+ 2'698 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:7772121777 discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/241015-vwzsaawhmg/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
87.120.127.223:42128
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e5489ad6-f880-4b03-8685-ab1c9cceac70
Unpacked files
SH256 hash:
8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
MD5 hash:
3a1085797ca3089008cb2b51d2fcdc84
SHA1 hash:
f5ea90ec6ad07f137c058ef2874dbd3a1b444f95
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/a5c831b8-e2fa-4488-98cd-310bc32bb379/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fc221b7c8e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3236312/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments