MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
SHA3-384 hash: e3c5ac9b5c33b039b2841953a5ab604a755ac7db67e249df4c3d3133b3c12fd42c32ffd2b7493d30cc23cc9f839827b6
SHA1 hash: c0ffbc52934f45ac5de2af1bc545a11f3d961713
MD5 hash: 29ab96aab2936a83493071d8bbd1152b
humanhash: aspen-alanine-september-april
File name:NEW ORDER SAMPLE LITS.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:849'106 bytes
First seen:2023-07-19 08:40:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep 12288:f3DkEGDINi1EwkG8/sHWihcD8hwbL8tN2cEFLjGPSciSYoIjYtl0xzyuxHHmC5:/DkUNi1EvGVWD8u8EGac3YoIxpV5
Threatray 83 similar samples on MalwareBazaar
TLSH T1FE050221B6C580B2E8A65C350EE1A375BB7C7D3107354FCBAB800A5D9F605C19B35BAB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.95.168.223:55615

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER SAMPLE LITS.pdf.exe
Verdict:
No threats detected
Analysis date:
2023-07-19 08:41:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e0fd750-c6e3-480d-8b86-6f3116661c1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424538/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin masquerade overlay packed replace setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/64b7a1a0f3c193545ac6ca66/reports/527e11ce-24b1-4437-8385-3dc77a6a9356/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a9a05d1-4713-4abf-bda4-40d0a64335d1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275792
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275792 Sample: NEW_ORDER_SAMPLE_LITS.pdf.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->57 59 8 other signatures 2->59 8 NEW_ORDER_SAMPLE_LITS.pdf.exe 11 2->8         started        11 ZYXoYkLYjBY.exe 5 2->11         started        process3 file4 41 C:\Users\user\AppData\Local\Temp\...\PO.exe, PE32 8->41 dropped 14 PO.exe 6 8->14         started        65 Injects a PE file into a foreign processes 11->65 18 ZYXoYkLYjBY.exe 11->18         started        21 schtasks.exe 11->21         started        signatures5 process6 dnsIp7 43 C:\Users\user\AppData\...\ZYXoYkLYjBY.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\Local\...\tmp1618.tmp, XML 14->45 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 14->71 75 2 other signatures 14->75 23 PO.exe 15 29 14->23         started        27 powershell.exe 21 14->27         started        29 schtasks.exe 1 14->29         started        47 api.ip.sb 18->47 73 Tries to steal Crypto Currency Wallets 18->73 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        file8 signatures9 process10 dnsIp11 49 45.95.168.223, 49695, 49697, 49698 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 23->49 51 api.ip.sb 23->51 61 Tries to harvest and steal browser information (history, passwords, etc) 23->61 63 Tries to steal Crypto Currency Wallets 23->63 35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 08:41:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcqepy6nioe3odktfd4ifblh5t6x2mekvkach4t5f2xeihelfqcq._file
Verdict:
malicious
Similar samples:
085692e71ab34556d9c9ca011c81b75997225a5c2a9b6047d8d701e77ec23e06
RedLineStealer
20951ff7514d86ca63b5560cb127f2da1bacefe032c8c839f1aaea354478b821
RedLineStealer
3f94f8beb67786d2c22f9db56a81aa1bfe29e34bd7c52db6cfe71e57d688a0fb
RedLineStealer
484794d12f8acdb2894d9009c17421bf0b5be491eb43273f35bdf56295b26ff0
RedLineStealer
653712fe2ab77c16473454a92a6ee7200e7c9600262bbb24e14612bdf393185f
RedLineStealer
6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
RedLineStealer
8a22014ada2999b66ab041f0aa93f42fb50b481778ce709272209dc9a96a9135
RedLineStealer
b0ca90a4a10611f098fc18e528de4ad9f37c8272a525cd9fb44f8db874f25038
RedLineStealer
b166f8281abdfa0539055969167c53f0d389af8bc8675a7455c1b74da2dddaa7
RedLineStealer
d9a9040d06a0889e7adaf4db52a4e241e4a2b9c40c3a532c904f49cadac7bb52
RedLineStealer
+ 73 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230719-klen9aaa82/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.95.168.223:55615
Unpacked files
SH256 hash:
45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c
MD5 hash:
ca775551666be768a9241f43eec98b87
SHA1 hash:
fbbd937067a24c48ee5274d3fa2881a991e64f3c
Link:
https://www.unpac.me/results/29732887-c1f3-434c-a2b4-0a2b61bb19f0/
SH256 hash:
e45c9c5b89865a0f43853c9ea8b82e4be1ead3bb732af7528c5b7eebadb1dada
MD5 hash:
ec1f7be3b6303770eeb2865748c105ee
SHA1 hash:
b8919929e22cae7dd6d53999c6acf1b1458fab55
Link:
https://www.unpac.me/results/29732887-c1f3-434c-a2b4-0a2b61bb19f0/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/29732887-c1f3-434c-a2b4-0a2b61bb19f0/
SH256 hash:
e1a614cdc94dfe63271ea59365a1445ea3c64da6661b1bb00d67e4bffb0c948a
MD5 hash:
a2ed18cdf06bf6e9920d53cb56c510cb
SHA1 hash:
388484ba9cfc6cc33d751527eb09d843b6120c45
Link:
https://www.unpac.me/results/29732887-c1f3-434c-a2b4-0a2b61bb19f0/
SH256 hash:
b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
MD5 hash:
29ab96aab2936a83493071d8bbd1152b
SHA1 hash:
c0ffbc52934f45ac5de2af1bc545a11f3d961713
Link:
https://www.unpac.me/results/29732887-c1f3-434c-a2b4-0a2b61bb19f0/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8a047e3cd43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424538/

Comments