MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
SHA3-384 hash: 63c80ec5e93484929318dcfe873bf76fc8088f4d2628c0952b650a7382484bce88274825689f701bc1ae9d0ffaa8afc8
SHA1 hash: 43d841b0d7df7f062c4386c3a42cf2cfaf5ad5f7
MD5 hash: deeac0d13bbbcfe4612ed896f95b1344
humanhash: timing-timing-lake-ceiling
File name:deeac0d13bbbcfe4612ed896f95b1344.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'776 bytes
First seen:2021-10-27 14:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:a5oaqjp/9TRvqB0IryItQ7VKd2OXN+KH/TSnwu28NKjxm1:a5v4DTRCQsgOXNf/duHN7
Threatray 80 similar samples on MalwareBazaar
TLSH T1A0A4F152B1E01189EBB581FBE8425B46E67170720721A3DB2B7813B71F5B9CA8F7C394
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Password_is_5432764372___BitlyWindows10t.rar
Verdict:
Malicious activity
Analysis date:
2021-10-27 13:41:16 UTC
Tags:
trojan autoit evasion rat azorult redline opendir stealer vidar formbook raccoon fareit pony loader smoke
Link:
https://app.any.run/tasks/495c831b-26ba-4bc0-a647-ec1048cf0400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200564/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61796500a9d585e6d53b60aa/reports/3eb65d17-c7e2-46d5-8b1d-af69770ed0a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5da4c106-c34a-4863-83e9-9e87d4f1f279
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/877825
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510258 Sample: Hl9GJ6GvUS.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 48 31 Antivirus detection for dropped file 2->31 33 Yara detected BatToExe compiled binary 2->33 7 Hl9GJ6GvUS.exe 9 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\9014.bat, ASCII 7->27 dropped 10 cmd.exe 1 3 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 35 Uses BatToExe to download additional code 10->35 15 extd.exe 1 10->15         started        18 extd.exe 2 10->18         started        21 extd.exe 2 10->21         started        23 extd.exe 1 10->23         started        process7 dnsIp8 37 Multi AV Scanner detection for dropped file 15->37 29 cdn.discordapp.com 162.159.134.233, 443, 49752, 49753 CLOUDFLARENETUS United States 21->29 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 14:40:33 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3elh257bqavifhhuj5bfdootjhe7r6je2ierbh5cybwzgx52qjq._file
Verdict:
malicious
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba
RedLineStealer
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
RedLineStealer
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
RedLineStealer
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
RedLineStealer
ba59622733f580592e807c44751503149a54f104b593b097dee0d6cd9e314bcc
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 70 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/211027-r2e4aafbf7/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Unpacked files
SH256 hash:
96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
MD5 hash:
deeac0d13bbbcfe4612ed896f95b1344
SHA1 hash:
43d841b0d7df7f062c4386c3a42cf2cfaf5ad5f7
Link:
https://www.unpac.me/results/80ca4c30-a528-41a9-84fb-d00033b77eb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200564/

Comments