MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75
SHA3-384 hash:	9cdc0489310afe6222d9ff51ee2eba54decb375a5db9b6d1cdb508fcc28c5eff5cfe88443a2f0b00f8da5d13543b2459
SHA1 hash:	cff1f5af8ab8095552a85d1d56c375efc90720d7
MD5 hash:	c0101a931d5c1b6e60167ab326c2b49d
humanhash:	cat-missouri-fifteen-ohio
File name:	SPicyman.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	396'288 bytes
First seen:	2024-01-19 22:15:39 UTC
Last seen:	2024-01-22 14:27:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:hgwnFHAOVrDLkD57g5bbO+0wWr23n8B1vC2GbuIZ+eP0myMAOVh:hgqgOVod7g5Wr2XopBIPP2e
TLSH	T13E840212BB738764C91802BB89D3846803F9D3C72AB3D99B3E5956790F02F9799857CC
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

New Text Document.bin.exe

Verdict:

Malicious activity

Analysis date:

2024-01-16 19:38:50 UTC

Tags:

loader opendir ducktail hausbomber stealer stealc risepro evasion miner smoke smokeloader trojan glupteba vodkagats vidar zgrat pureminer rhadamanthys ransomware stop formbook xloader amadey botnet spyware redline xmrig pureloader purecrypter kelihos quasar fabookie lumma raccoonclipper phishing payload rat asyncrat remote

Link:

https://app.any.run/tasks/6b79a8ed-b6c9-4102-9c5d-1ed148f16f7d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

MetaStealer

Link:

https://www.capesandbox.com/analysis/471767/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.25269.10985.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Stealing user critical data

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed stealer

Link:

https://www.filescan.io/uploads/65aaf4a9dca4dca481de482b/reports/9c5a4d0e-a6a5-4c6e-bc23-a9f6aba31671/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/22e519ce-4f7d-40ca-9e84-23d076237c63

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1377780

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Drops PE files to the startup folder

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2024-01-15 22:19:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x4i2olpwftudkkniqhrlikutmgf5ki5an66r4uvcxqjpcycudz2q._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:redline family:zgrat discovery infostealer rat spyware stealer

Link:

https://tria.ge/reports/240119-16splsfba7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Detect ZGRat V1

RedLine

RedLine payload

ZGRat

Unpacked files

SH256 hash:

2a2b018b7d4b873fc46c975f2a7aaa5ddc62f073031a394b63169a613b992073

MD5 hash:

6442fbf20eee2d6a324d5a2ff18a0177

SHA1 hash:

1943c78d1d22e2e6be7d95b550bb60ff4c1a9720

Detections:

redline

Link:

https://www.unpac.me/results/d5715242-0a89-45de-a86e-b190bae2e977/

SH256 hash:

bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

MD5 hash:

c0101a931d5c1b6e60167ab326c2b49d

SHA1 hash:

cff1f5af8ab8095552a85d1d56c375efc90720d7

Link:

https://www.unpac.me/results/d5715242-0a89-45de-a86e-b190bae2e977/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf11a72df62c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf11a72df62ce83529a881e2b42a93618bd523a06fbd1e52a2bc12f160541e75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/550cf25b-fcff-4512-a913-2969213bd1b0

Cape

https://www.capesandbox.com/analysis/471767/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample