MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366
SHA3-384 hash: 1d06fb7e15c560d00b41dab9b64c206ca7f045387505eee2e72a76a99d9a5de362e0f8def4727575b134949c4130adee
SHA1 hash: 5a5c60841475761cc8e5cfc94db6d236756f1070
MD5 hash: 821fa6aab23d6becaa80644e25d9e5e3
humanhash: connecticut-autumn-two-bluebird
File name:821fa6aab23d6becaa80644e25d9e5e3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'875'928 bytes
First seen:2022-03-03 09:40:40 UTC
Last seen:2022-03-23 05:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dfec469ff9e19f9df882decc3c09398f (45 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep 98304:rXnNjeWU4lSINKl7AMahLHg2lFJesSnMR6nJ8GvGUVwHl+zd1Y2APQQ:7nBeWdlSeKl7ApLHtgsSMRQJ8KVwFImn
Threatray 1'509 similar samples on MalwareBazaar
TLSH T1163633ADBB1DD1F5D8ADC17905A7FF091A7317BA6487141B0DEE4883EB7400DAC2A29C
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246914/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/033125ab-fca6-4cb6-816b-c1234d48fc24
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/950142
Signature
Allocates memory in foreign processes
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-17 19:31:00 UTC
File Type:
PE (Exe)
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xh4ljzqwbogk4oerrx6bdmlgcawpfwnmi7hyiq4ht3xu3ka7onta._file
Verdict:
malicious
Similar samples:
08381d5b4bffb1a943f62143f1dcd3ca6ff468e62c3499869dec4e4072f44bcd
RedLineStealer
0ea0d467809f6db13fbbc3949ca3a4a0f90f60c80cb5cdc03aecdc6e060f0869
RedLineStealer
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
RedLineStealer
411656602e3e13e8a41b73648d62aedc061b0c91a85c8b901ab04b1f735017cb
RedLineStealer
4e9b252f8b9823592eb96a774ba48775a8958e6b793b910a219c211e0f5d5bfd
RedLineStealer
8d9b9cca07f1ee0633427ae056d4075a38bb2d12cc8dc9a0e31aef21ed7685da
RedLineStealer
97999fbdf6796e404338f1ad462f3743f217646dcd882f839ea5294e8f54c14d
RedLineStealer
a9c68b448101f65cb3cc37b23ec5f9a3ca49bcbfc5bb81b2387524f71be57bd1
RedLineStealer
d7ae0785ecbecb35bc33fd7b50687037f439aafc2eaa436c220a14edc41d8f12
RedLineStealer
f15e77a9002b5ff912240ed81aeb0ab548871d5efdd09972bcdadb153198bc68
RedLineStealer
+ 1'499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-lns54acbak/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
515c0897bfc3f032a2227c00b28272dd35cb5a70da143d077f13daa9fcf10200
MD5 hash:
1c93d9a1c31f4bb218e12229b29ec512
SHA1 hash:
14ebd8089ff35033b61e075020a3d401da2fb053
Link:
https://www.unpac.me/results/e67810fe-89fa-46af-a8ff-06d1cd79261e/
SH256 hash:
36f089631e5d12681d9102dbecf205550ddaca028565cc6d2830597f2302e92e
MD5 hash:
4f331eda82abc89826e85f1f2698ec6c
SHA1 hash:
c00763c7dde0fe74669c8cfd8a229940b1cf37fc
Link:
https://www.unpac.me/results/e67810fe-89fa-46af-a8ff-06d1cd79261e/
SH256 hash:
b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366
MD5 hash:
821fa6aab23d6becaa80644e25d9e5e3
SHA1 hash:
5a5c60841475761cc8e5cfc94db6d236756f1070
Link:
https://www.unpac.me/results/e67810fe-89fa-46af-a8ff-06d1cd79261e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b9f8b4e6160b8cae38918dfc11b166102cf2d9ac47cf8443879eef4da81f7366

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073220/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246914/

Comments