MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202
SHA3-384 hash: 9b63e5a679b348bc2fdc094fc2dccdafce803b956ba81b91d79038c2c9bd7a789cdd6d79c4ea089bcee25cfd5e50998f
SHA1 hash: 8864ba24a1a6b3ebab55bbb41a59f7df4510f6ce
MD5 hash: df5c0e79a474d705d3bae534112585fb
humanhash: fillet-seventeen-wisconsin-oxygen
File name:df5c0e79a474d705d3bae534112585fb
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'683'227 bytes
First seen:2022-10-05 04:38:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bba10bc6e6e0c67365da76653e3e10d (11 x RedLineStealer, 3 x ArkeiStealer, 1 x ErbiumStealer)
ssdeep 24576:Uu7ex3hC3Y+YC9p7A6RMvQdZwPocYhW2z63KD2oHILpIfel3RuQ55313K:mx3h8KwWXKD2oHI+2l3U
Threatray 695 similar samples on MalwareBazaar
TLSH T13BC51A135A8B0D75DDD23BB4A1CB633AA734ED30CA3A9F7FB608C42959532C56C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316712/
Detection(s):
Win.Malware.Redlinestealer-9972832-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41238/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed spyeye
Link:
https://www.filescan.io/uploads/633d0a69d089a0c15dd54643/reports/31382184-a076-451c-867d-ffa4a466bd9e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eccf9c06-e65c-40d5-a85f-c5aabb2acf2c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083855
Signature
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 04:39:23 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqasalpw7sngje3nufl7dqba3i7vxu7ptyz45q7yime6ffr4kiba._file
Verdict:
malicious
Similar samples:
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
RedLineStealer
727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0
RedLineStealer
7eff4f2344e8b0857d8045e73a199fc159ce1cbcd6a405606dd5e01c437fe6d0
RedLineStealer
af9b0aceb849661464687ad60a63732dc1391838e463e6eb29fbf52e2feb3a58
RedLineStealer
cdc9f6db38735ea160b075611a5ff62fdfe572f543a59f5170856e067fbf5112
RedLineStealer
efb1e519d5a9d527a474eb694ba20dc7589a0cd7347941185a6276d76d0c8f34
RedLineStealer
fcd01c9fed690b2bad435c5bab5925cc1132c4c622f18af09d437f9e4957b84b
RedLineStealer
+ 685 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5397150605_99 infostealer spyware
Link:
https://tria.ge/reports/221005-e9y5xadfaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
zaraat.xyz:37397
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fab04e2c-4092-4233-acf0-1dc0a824231c
Unpacked files
SH256 hash:
2b207afc005d847338419d06f80d53231c58fad346930cf627104ee28f0c8d15
MD5 hash:
f4f6c4501e3e14061875f486f674f488
SHA1 hash:
6bd45a70d5f212f5688d2546b4622d130ae14eb8
Link:
https://www.unpac.me/results/213020c3-53c6-4c51-9229-d5f4e622f5ca/
SH256 hash:
bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202
MD5 hash:
df5c0e79a474d705d3bae534112585fb
SHA1 hash:
8864ba24a1a6b3ebab55bbb41a59f7df4510f6ce
Link:
https://www.unpac.me/results/213020c3-53c6-4c51-9229-d5f4e622f5ca/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc01202df6fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/316712/

Comments


Avatar
zbet commented on 2022-10-05 04:38:23 UTC

url : hxxp://deadxbc9.beget.tech/build/3.exe