MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c
SHA3-384 hash: 407f232595521457becb1c335c5d4045dee96c8a173b41f163473b642c00dd752c324d80ef15ff83c5f4189b2ea7b700
SHA1 hash: b5d10e3ff15419475162b91d8acb3861e4ae0208
MD5 hash: a14a17c4e1fbeda445d2ceeaca7518ce
humanhash: iowa-vegan-zebra-alpha
File name:Payment_10_2_2022.bat
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:85'808 bytes
First seen:2022-10-28 19:04:45 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:e+K60e/GEPX1JJbcdJxbpt0g00ALOMgT8YSJq+oiDIsucCYQoPZ1iZ4KsChK6FVX:10e/T1fkogtALplLJnDIVcvQoP2Z4KZN
Threatray 2'729 similar samples on MalwareBazaar
TLSH T14F83017A3E2B979D38E800D130E0437839313996D4C5BA28EF39679C6BC59D262533B6
Reporter 0xToxin
Tags:bat RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Payment_10_2_2022.bat
Verdict:
Malicious activity
Analysis date:
2022-10-28 17:29:03 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/8d2a5e69-fd57-4235-9a69-e2102ad66f24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325622/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63205772.22486.3462.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/635c27e1a5db8d309cbbb227/reports/ab27e045-eae8-4c4c-973b-ec1ab91ff48d/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1100581
Signature
Bypasses PowerShell execution policy
Obfuscated command line found
Renames powershell.exe to bypass HIPS
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733242 Sample: Payment_10_2_2022.bat Startdate: 28/10/2022 Architecture: WINDOWS Score: 76 75 Yara detected RedLine Stealer 2->75 77 Uses known network protocols on non-standard ports 2->77 10 cmd.exe 2 2->10         started        14 cmd.exe 1 2->14         started        16 cmd.exe 2->16         started        process3 file4 67 C:\Users\user\...\Payment_10_2_2022.bat.exe, PE32+ 10->67 dropped 85 Suspicious powershell command line found 10->85 87 Bypasses PowerShell execution policy 10->87 89 Renames powershell.exe to bypass HIPS 10->89 18 Payment_10_2_2022.bat.exe 1 20 10->18         started        21 powershell.exe 7 10->21         started        23 conhost.exe 10->23         started        25 ehuQihTfOx.bat.exe 13 14->25         started        27 conhost.exe 14->27         started        29 powershell.exe 14->29         started        31 ehuQihTfOx.bat.exe 16->31         started        33 conhost.exe 16->33         started        35 powershell.exe 16->35         started        signatures5 process6 signatures7 79 Obfuscated command line found 18->79 37 cmd.exe 2 18->37         started        41 powershell.exe 9 18->41         started        43 powershell.exe 25->43         started        45 powershell.exe 31->45         started        process8 file9 65 C:\Users\user\AppData\...\ehuQihTfOx.bat.exe, PE32+ 37->65 dropped 81 Suspicious powershell command line found 37->81 83 Renames powershell.exe to bypass HIPS 37->83 47 ehuQihTfOx.bat.exe 14 14 37->47         started        51 conhost.exe 37->51         started        53 powershell.exe 37->53         started        55 conhost.exe 41->55         started        57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        signatures10 process11 dnsIp12 69 api.ip.sb 47->69 71 95.214.24.145, 49700, 49702, 49703 CMCSUS Germany 47->71 73 Obfuscated command line found 47->73 61 powershell.exe 47->61         started        signatures13 process14 process15 63 conhost.exe 61->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2j76njbcbdrub2msxmpewndcfhm4ezr3sgcchdqbvnuzyotxfi6a._file
Verdict:
unknown
Similar samples:
2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
RedLineStealer
3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
RedLineStealer
47ac3d18dc7010640808ab90a5a83881593a6ab8a5bc178ff72f983e26c3476f
RedLineStealer
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
RedLineStealer
b0349c9cc5d6db524ba113866432e1e0b1cf309e60ad5c3281fb00b27d1bdd30
RedLineStealer
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
RedLineStealer
c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
RedLineStealer
e30338b34bb447ba7ea0fdb18d9a5daa2f1cd0c0668ed18ce5b0172a5a9d13e1
RedLineStealer
f0653a86fd67b4a51be4a3f3283a9cd1ffd0d9448ae9855147152b5e54fa24a8
RedLineStealer
f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b
RedLineStealer
+ 2'719 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/221028-xrg3sabed5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Batch (bat) bat d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/325622/

Comments