MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc1f4d9da2e338e72dbf04bb16b7ca8fc11c04fbdc15085b1d72498c3f1670b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	bc1f4d9da2e338e72dbf04bb16b7ca8fc11c04fbdc15085b1d72498c3f1670b9
SHA3-384 hash:	42416f59066638e1104a5b8c472d59151c26041f05f0781fa0716aec9d0d30cf54237ab10c22e7f9825b3501d6f32df6
SHA1 hash:	410b6e731e498e9aef016f1a664209bb0ff67ef7
MD5 hash:	7a7e7caa76993605b9f5b5748848166d
humanhash:	victor-sixteen-red-florida
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	52'224 bytes
First seen:	2022-08-22 15:32:54 UTC
Last seen:	2022-08-26 10:27:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	768:lrpIzx6q9Ff/YS2kvWtOHLfUVmmAyvwofbVMXMptY30+j1nhwSDDSIQ9HAHz:lrpIzEqjQSBWIrdEoYV8hh7DDMuz
Threatray	4'155 similar samples on MalwareBazaar
TLSH	T1013318057BFCA516F3BFAAB959F1802847B1F6666912D70F1C8840CE0E72F405A52BB7
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1005487487826788395/1009839385719623730/nzciwixhoog8mh_1.bmp

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-08-19 00:34:33 UTC

Tags:

opendir evasion trojan socelars stealer loader rat redline

Link:

https://app.any.run/tasks/39a0aa3b-c57f-4d52-9ee0-b97c0d577a63

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/300303/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.22492.29958.17745.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Reading critical registry keys

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP POST request

Creating a file

Creating a file in the system32 subdirectories

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6303a234393b1c8c470472a7/reports/44d75433-8b1a-44c9-9fd4-78f7075e8d45/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dadf4401-d1eb-43f6-beb7-173a7636569d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1055704

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc1f4d9da2e338e72dbf04bb16b7ca8fc11c04fbdc15085b1d72498c3f1670b9/

Threat name:

ByteCode-MSIL.Spyware.RedLine

Status:

Malicious

First seen:

2022-08-19 18:13:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqpu3hnc4m4ooln7as5rnn6kr7arybh33qkqqwy5ojeyypywoc4q._file

Verdict:

malicious

RedLineStealer

6903e33821d3a689d41e5e45cfd1e9bbb08109b741fe199b030e7e2875d7fbe5

RedLineStealer

8f7ac08d840cde6f0d3c1f877bd600a0d1962838aaa0aa9fde3ba1e167d5bc92

RedLineStealer

9cee1672ce8976fd4ec8e7920b6d9f5c4bd51991359c520db65d7a0fa387ff38

RedLineStealer

b74432a1a0a8b290a477242fe3e51db900944ab3776f2be927fcc12c83a5e701

RedLineStealer

cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a

RedLineStealer

efc1ec6c7b075a24839a5a6b6c73f75ea7adbae1c17457c4ab0b22c951667dfa

RedLineStealer

+ 4'145 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220822-sy6x9shgdk/

Behaviour

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

bc1f4d9da2e338e72dbf04bb16b7ca8fc11c04fbdc15085b1d72498c3f1670b9

MD5 hash:

7a7e7caa76993605b9f5b5748848166d

SHA1 hash:

410b6e731e498e9aef016f1a664209bb0ff67ef7

Link:

https://www.unpac.me/results/1264145c-bf61-4b50-a242-5c8bcf9856f8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc1f4d9da2e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/bc1f4d9da2e338e72dbf04bb16b7ca8fc11c04fbdc15085b1d72498c3f1670b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300303/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample