MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
SHA3-384 hash: 60a4f81eb8c7f6c5652c9cd076d07f9a2fcf016f7321506e023f434bfc552e65c832e41e0d699975ce7607e8eda5029f
SHA1 hash: 4da058bd39c6a1e9335a465d61cf52a6fd631b72
MD5 hash: d6132184c01b788529e5ba3339a6cb30
humanhash: missouri-avocado-summer-table
File name:d6132184c01b788529e5ba3339a6cb30.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:858'624 bytes
First seen:2023-02-11 09:41:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:rMrwy90+GUR9gLYR0g9+toVKl+6l98H5Qh1hx54Dv1pzrwfyCZn/l8hZisrL+Y9g:vyLmcr9+towlE5UEjcdZ/yh5TyEal
Threatray 12'628 similar samples on MalwareBazaar
TLSH T103051203BAE89072E9B5577008F607C31A32BD915BB8838B779F9C990573670B239767
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.12:4132

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d6132184c01b788529e5ba3339a6cb30.exe
Verdict:
Malicious activity
Analysis date:
2023-02-11 09:44:14 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e6d350e1-0a81-46f2-8b7f-cc00006acae5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/363906/
Detection(s):
Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68063/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/914cabe1-5a5f-470b-9a4c-8450bbd53804
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1171941
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804730 Sample: KIG0T9SRQN.exe Startdate: 11/02/2023 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for dropped file 2->66 68 10 other signatures 2->68 9 KIG0T9SRQN.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 46 C:\Users\user\AppData\Local\...\vNP22.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\slX74.exe, PE32 9->48 dropped 18 vNP22.exe 1 4 9->18         started        process5 file6 38 C:\Users\user\AppData\Local\...\vxo97.exe, PE32 18->38 dropped 40 C:\Users\user\AppData\Local\...\nHv19.exe, PE32 18->40 dropped 70 Antivirus detection for dropped file 18->70 72 Multi AV Scanner detection for dropped file 18->72 74 Machine Learning detection for dropped file 18->74 22 vxo97.exe 1 4 18->22         started        signatures7 process8 file9 42 C:\Users\user\AppData\Local\...\lDz09.exe, PE32 22->42 dropped 44 C:\Users\user\AppData\Local\...\dOj26.exe, PE32 22->44 dropped 76 Multi AV Scanner detection for dropped file 22->76 78 Machine Learning detection for dropped file 22->78 26 lDz09.exe 1 22->26         started        29 dOj26.exe 5 22->29         started        signatures10 process11 dnsIp12 80 Multi AV Scanner detection for dropped file 26->80 82 Machine Learning detection for dropped file 26->82 84 Writes to foreign memory regions 26->84 92 2 other signatures 26->92 32 AppLaunch.exe 3 26->32         started        36 conhost.exe 26->36         started        52 193.233.20.12, 4132, 49695 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 29->52 86 Detected unpacking (changes PE section rights) 29->86 88 Detected unpacking (overwrites its own PE header) 29->88 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->90 94 2 other signatures 29->94 signatures13 process14 dnsIp15 50 176.113.115.17, 4132, 49696 SELECTELRU Russian Federation 32->50 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->56 58 Tries to harvest and steal browser information (history, passwords, etc) 32->58 60 Tries to steal Crypto Currency Wallets 32->60 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 09:42:09 UTC
File Type:
PE (Exe)
Extracted files:
215
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xd63gzzbftt7lo7vgr5vlgt6x75vbfdht23rnmjw6y6r7tk7j7tq._file
Verdict:
malicious
Similar samples:
25811e71ad0831d7aee231e3c03245be29615cc8e4e5ea7165fde73bfa4960bc
RedLineStealer
2628ab1c8d488cbf56661f77c6004bb606546b708759dde8f525db983515f5fa
RedLineStealer
3c6ee18e05f8ff187011dcac773e31c0bf128a2d4c8d3a17eeb8895fdb70b8d3
RedLineStealer
6e22d94efa87e5166e89cb33d13758e32524e20820632f06ba8676389e5a0018
RedLineStealer
728680d2b009f96df9c5cc0d867531f437a54352e0e66d67fe2269d0df793cb5
RedLineStealer
b586a85b1fc9d0b8370c88bca896d68b72797ee31e77f0afd080314dd6ca259e
RedLineStealer
c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7
RedLineStealer
c3459cba29b38190411467d23a91f8e6577c5d3241bbe59858282b1c4a41d3bf
RedLineStealer
eb60c51b5a320c3ae6a4619af7cc49ab89545ce78934362eee1690f88e4f5513
RedLineStealer
+ 12'618 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:crypt1 botnet:dunm botnet:romik discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230211-lpcjqsde5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.12:4132
176.113.115.17:4132
Unpacked files
SH256 hash:
6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38
MD5 hash:
5a5d7c502c8de78f62818cd74dc3fad9
SHA1 hash:
f6a32259e84173fa3e674287fed9f7682d91ed00
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b
MD5 hash:
285e4cae921c512fec71492eaafc27c4
SHA1 hash:
7a1022b0ec66c57a216bd0f842906917e7851130
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
SH256 hash:
1b58cc46582d2af490ccd73e499c060493e03745d063c364e056b37bd27e923a
MD5 hash:
f99f30bc6d50869fd3efb586d707941c
SHA1 hash:
779d52ff7e1606bc249318253906cd380bc02148
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
7c4edb1b80be10e76fa6dfea7a1af224f3619f1d1c2077bdc2ac3ab9c1d4ff51
MD5 hash:
62f63cc7bf8429bb8f6329430afa1602
SHA1 hash:
25b032ca91d282c3aa3bee98571586f5cc031839
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
SH256 hash:
882f143e935112b8db527305f9944394f9ac638c3924793df84c8147f8df66a0
MD5 hash:
804f5b116efc2c18b5bbf6b9bc2409fe
SHA1 hash:
b95ec75ccf1d250487293ee4dd00082a5409b935
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
Parent samples :
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
SH256 hash:
d496b8d1b9ba1fcee6204dba3196029f2f6813a81df7adab85270b7cfcdd3e0d
MD5 hash:
7cfe1d7d7bb87f72bef04686552794a2
SHA1 hash:
37cf19b9f23b863104aa998b75467523b26badb2
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
SH256 hash:
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
MD5 hash:
d6132184c01b788529e5ba3339a6cb30
SHA1 hash:
4da058bd39c6a1e9335a465d61cf52a6fd631b72
Link:
https://www.unpac.me/results/59e0feba-11c3-4437-ad0a-c6e3884e23a2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8fdb367212c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2535038/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/363906/

Comments