MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932
SHA3-384 hash:	22476857271043481ec1e164673bf49cf0398d41a9c1c5dda3c98e40b9bae4c6516b0ff3adb2fea1f19e53ecadf21cdd
SHA1 hash:	d321a06047a7b678dbf66ec31737ffe616740c56
MD5 hash:	87a55db2012f719d4a0f4f799f5c02cc
humanhash:	earth-nineteen-lima-pennsylvania
File name:	87A55DB2012F719D4A0F4F799F5C02CC.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	560'696 bytes
First seen:	2021-08-18 00:11:09 UTC
Last seen:	2021-08-18 01:07:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	6144:3Xkg435JTLsBqTSLNv6u2vg4BZeC7C6nJ6PYvOOD2UGTwoEeHyy:3Xt2Xv4oSSRB8YmwGTAeHd
Threatray	1'240 similar samples on MalwareBazaar
TLSH	T182C49CDC8E2C3EC0E17308F41CF6AED22426FC6F24A545A72A4E6D0735168A7757B91E
dhash icon	26e6232b654b4b45 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
34.125.127.142:22010

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
34.125.127.142:22010	https://threatfox.abuse.ch/ioc/191853/

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

87A55DB2012F719D4A0F4F799F5C02CC.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-18 00:11:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/15f37cdf-9dee-422d-8596-cdcd1a0cf55a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180168/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.20414.18868.23339.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a808bf9-6670-4025-9886-4a2e6256482f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834788

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932/

Threat name:

ByteCode-MSIL.Worm.SpyBot

Status:

Malicious

First seen:

2021-08-15 00:55:38 UTC

AV detection:

20 of 46 (43.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7fy4hyzrtozujnkqjtmdy44jfsdjm5pzd7c4lj62qhbz4zoxeza._file

Verdict:

malicious

RedLineStealer

32cf0e4532d6617a76a22f45edfe5d10ecbaf10040cedffdb2cea5126b6ff053

RedLineStealer

4ac6e78bf14a825b213dffb029102a9c57bfd7d6f203bbd3259286ce49ed8add

RedLineStealer

80752bd3e74c165e9c88fee2b806b67641f6cdae222d4ef9f5bc433f8501e767

RedLineStealer

9af2474823d8274925ccbc39726f4766c675c3e996dedfbbb6a4b07d86af6fe7

RedLineStealer

9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f

RedLineStealer

a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8

RedLineStealer

a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967

RedLineStealer

d269615dd97e39c3625988646ad11311cde5a6e4074a43181bd68229646ac0f1

RedLineStealer

ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf

RedLineStealer

+ 1'230 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:bomb007 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210818-h8dhldfcf2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

34.125.127.142:22010

Unpacked files

SH256 hash:

3d2318ac0fdf1e571791e8313bd62ffc071b5ec54fd0cac55eee9607b9e0c1a8

MD5 hash:

1b8b6478bbe88b977a260f83bceee916

SHA1 hash:

b313f7203214ec9a0c7595c0bd3cb26959124d62

Link:

https://www.unpac.me/results/8b5d7287-793d-4c9e-a03a-e6e138ab8d0e/

SH256 hash:

5bb53af5bf7e0aedd1fc06b4c7bb2b24d37b2c4480f8d0f20957df04d7739690

MD5 hash:

c91d085b2a6d8c3e5c721dcbb057e6e3

SHA1 hash:

0740dd308676d8287981112acc54a2d9124ae2b4

Link:

https://www.unpac.me/results/8b5d7287-793d-4c9e-a03a-e6e138ab8d0e/

SH256 hash:

14fd4bdea58f65a66e9c74cd013055db4cc15ce55fde43fec4083d4bb557d086

MD5 hash:

14909fb69eaa7ce19e66030bf6459247

SHA1 hash:

006390befb10b800536cd992e781964a9a15563d

Link:

https://www.unpac.me/results/8b5d7287-793d-4c9e-a03a-e6e138ab8d0e/

SH256 hash:

bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932

MD5 hash:

87a55db2012f719d4a0f4f799f5c02cc

SHA1 hash:

d321a06047a7b678dbf66ec31737ffe616740c56

Link:

https://www.unpac.me/results/8b5d7287-793d-4c9e-a03a-e6e138ab8d0e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/180168/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample