MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5
SHA3-384 hash: 4dc68afbcbdc03f3cc67952035bd88feec3f0dc6ddb4eac6dc123858aaa9946571726d9ba7942a61188e6e74cd4feecb
SHA1 hash: c601333346919e662390ee23c112a0c207b45063
MD5 hash: 3238cb395d0608d6bd18d7c6b5c41b99
humanhash: bravo-hawaii-red-minnesota
File name:3238cb395d0608d6bd18d7c6b5c41b99
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'096'512 bytes
First seen:2022-02-25 05:22:41 UTC
Last seen:2022-02-25 07:23:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 98304:G7Ln6g8B1tN1bwI3X6cAM4uHc9H488g/JVVGCeRX3:G7LkBZsfmcoQJVVGCeRn
Threatray 1'425 similar samples on MalwareBazaar
TLSH T1F11633F19A631B35CD3881F49F2F91072A56B209931B408C2FADCE792466DEFF4C6499
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.253:4752 https://threatfox.abuse.ch/ioc/390795/

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244595/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621867c2b94fb38cb4025469/reports/329afe89-77ad-4d27-b256-b866d7b3f32b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9a5dc92-9b59-483f-a1bc-2965be6eb208
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946185
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 05:23:21 UTC
File Type:
PE (Exe)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wd6ork6xecwe4kgsjnrktqtmr76glwxnbgidjo2ogdurxdmiu6sq._file
Verdict:
malicious
Similar samples:
00427344e070941ca266d725e67a57688ae7676b6bf3f71b98bf13292f1c8ae5
RedLineStealer
23f66190a2c59e4ab6da005de3097ba5b9275424f6bccabdca86d51746436575
RedLineStealer
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
RedLineStealer
784b57a228a2f48425e7bbb078d32b1fed781703235408f0f5596a5a9fa85de1
RedLineStealer
969c029de17f0ef017c1e1bad71b2eb650a5f0c7de8fc7adf4dc891fb7782be2
RedLineStealer
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
RedLineStealer
a9d5dd27eb1a75fb1ddf76fe98671cc1eb78b903dff107aa8612c2d74cb305f7
RedLineStealer
cbd2e4d355d89e4ee867270ff57a6602d33cfed8eaab417e63ee0ba25d788abc
RedLineStealer
d432be6fd56140d4e9d3d207020c464277e729fea06bd1c3ef6adb491a772957
RedLineStealer
f905fcddf98afaa77739067a27733b7999cdcce7bd09f40921312c43cfb464cd
RedLineStealer
+ 1'415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220225-f254xsgbfn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
6b569ef65d7b342c2d7e23885dc3ec33c45882d94c89e8ff7dd991c5e3797443
MD5 hash:
c2a9c04129d4c27d826f436e23fd232a
SHA1 hash:
5f6dfb8897336dde36f755af8ce7099454301b6b
Link:
https://www.unpac.me/results/82c37a31-dfd0-4b78-92da-99e0a9b13c00/
SH256 hash:
3d6e61f03ed1f807cb9f408043570d159a50d295b906b7baa9474a68c8b422e5
MD5 hash:
57a2d72624b6f365c5c19347adb28ef8
SHA1 hash:
79f9d8a3090c250700716f7fc345bc6ff27f9f6c
Link:
https://www.unpac.me/results/82c37a31-dfd0-4b78-92da-99e0a9b13c00/
SH256 hash:
b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5
MD5 hash:
3238cb395d0608d6bd18d7c6b5c41b99
SHA1 hash:
c601333346919e662390ee23c112a0c207b45063
Link:
https://www.unpac.me/results/82c37a31-dfd0-4b78-92da-99e0a9b13c00/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b0fce8abd720/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b0fce8abd720ac4e28d24b62a9c26c8ffc65daed099034bb4e30e91b8d88a7a5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2059325/
Cape
Cape
https://www.capesandbox.com/analysis/244595/

Comments


Avatar
zbet commented on 2022-02-25 05:22:43 UTC

url : hxxp://79.133.56.44/myblog/img/110.exe