MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b
SHA3-384 hash: 5470f14a67440f6d3d6b1120e8e278b4ce76a9247a9c2874ff47dc9b8ba3989f6710120c35b31510a06260539e02af4d
SHA1 hash: cfd3740eaf17aacd4506c7d0cb8bfdf02495ed06
MD5 hash: ab95d078a29cdd0ba060b4ec17d632d1
humanhash: bluebird-hot-illinois-ten
File name:ab95d078a29cdd0ba060b4ec17d632d1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'233'097 bytes
First seen:2021-06-14 22:33:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:t9btxEOfNMkNAPo5yF43jxfZDCzcpQ7JdwaZ1UaOCeoBrwwztq:tNNfakNAI5xxD7p0Q2swQ
Threatray 291 similar samples on MalwareBazaar
TLSH 6A45F004E253A361C09BF3FE251DF27444294E3F0791A6C37778FED699E8E8896242B5
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab95d078a29cdd0ba060b4ec17d632d1
Verdict:
Malicious activity
Analysis date:
2021-06-14 22:39:21 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/3fa8ba3b-2003-4a76-a96a-dfd58bde4cf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Backdoor.Agent.Win32.80093.30955.12989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Sending a UDP request
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b568e04f-2b66-4566-923e-fc8e78bc8985
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/802053
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Deletes itself after installation
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434449 Sample: MQfYkJ9d1J Startdate: 15/06/2021 Architecture: WINDOWS Score: 66 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Drops script at startup location 2->61 63 Machine Learning detection for sample 2->63 9 MQfYkJ9d1J.exe 7 2->9         started        12 wscript.exe 2->12         started        14 mBtfSlwFzE.exe.com 2->14         started        process3 dnsIp4 71 Contains functionality to register a low level keyboard hook 9->71 17 cmd.exe 1 9->17         started        73 Creates processes via WMI 12->73 49 AQkIGrCyMXsvGazK.AQkIGrCyMXsvGazK 14->49 signatures5 process6 signatures7 51 Submitted sample is a known malware sample 17->51 53 Obfuscated command line found 17->53 55 Uses ping.exe to sleep 17->55 57 Uses ping.exe to check the status of other devices and networks 17->57 20 cmd.exe 3 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 65 Obfuscated command line found 20->65 67 Uses ping.exe to sleep 20->67 25 Raccontava.exe.com 20->25         started        28 PING.EXE 1 20->28         started        31 findstr.exe 1 20->31         started        process10 dnsIp11 75 Drops PE files with a suspicious file extension 25->75 34 Raccontava.exe.com 6 25->34         started        47 127.0.0.1 unknown unknown 28->47 43 C:\Users\user\AppData\...\Raccontava.exe.com, Targa 31->43 dropped file12 signatures13 process14 dnsIp15 45 AQkIGrCyMXsvGazK.AQkIGrCyMXsvGazK 34->45 39 C:\Users\user\AppData\...\mBtfSlwFzE.exe.com, PE32 34->39 dropped 41 C:\Users\user\AppData\...\mBtfSlwFzE.url, MS 34->41 dropped 69 Deletes itself after installation 34->69 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 22:34:11 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdyipggqoyy4s4xb2mn5bruwqwoqmd644ymowp6ayiklsqbyoz5q._file
Verdict:
malicious
Similar samples:
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
RedLineStealer
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
RedLineStealer
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
RedLineStealer
497c07b12b4e7f9082b872ef2aac2e9619f1dbc82c94993724cd246dd54b38c4
RedLineStealer
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
RedLineStealer
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
RedLineStealer
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
RedLineStealer
c3c916d14f61357a5e5a61e2efe0f061dc2b8b2cc4b113155f0048a752cdc85d
RedLineStealer
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
RedLineStealer
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
RedLineStealer
+ 281 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210614-s1vdt12qpe/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
66bfa8a09b6610d6a8040bfb60f429fdd1c4e7e9279321eb04932c6e4172f286
MD5 hash:
9dcce3e9214b4345df33e09ed7d113ce
SHA1 hash:
94207f3a690692e98aaf6393beee91abc3fcaf4c
Link:
https://www.unpac.me/results/e25802fc-79ba-442f-8838-820467ddef65/
SH256 hash:
b701e182737842040f9d52c5e9933e574618e476d665f7c911070fb69fe6cfae
MD5 hash:
433cba7fdf36974e61f48b47ab05da7a
SHA1 hash:
12a009fecdaeae8539e036eae072c19ddce3ab70
Link:
https://www.unpac.me/results/e25802fc-79ba-442f-8838-820467ddef65/
SH256 hash:
a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b
MD5 hash:
ab95d078a29cdd0ba060b4ec17d632d1
SHA1 hash:
cfd3740eaf17aacd4506c7d0cb8bfdf02495ed06
Link:
https://www.unpac.me/results/e25802fc-79ba-442f-8838-820467ddef65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1366640/

Comments