MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c
SHA3-384 hash: 13474070c62b7b273d7e271c4899f31d0645499625807deeb74ec726a664fcc2e4009cf79f30d7be0fc18050b8f9424e
SHA1 hash: 987eb726373c3c8d23c7a60c16a7134f9d112c5b
MD5 hash: 8b950c7b5909bc6ab5169492645d58c0
humanhash: monkey-table-ink-august
File name:8b950c7b5909bc6ab5169492645d58c0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:457'728 bytes
First seen:2021-09-29 13:46:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:IbjDhu9TlMgJ/lyUz81DWkqO5NCex1y54O3sk:21eTlMgJ//89RqO5NCefy54O3sk
Threatray 67 similar samples on MalwareBazaar
TLSH T1D7A4F16672E02158D6B682F6C9921746EA3170721B15B3DF27B853B21B2F4DA8F3D3D0
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
80.87.192.137:27018

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.87.192.137:27018 https://threatfox.abuse.ch/ioc/227545/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193194/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Stealing user critical data
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ed98350-3007-456f-aa84-134b091ec8b8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/861384
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493815 Sample: V4dT41mWTo.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 60 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected BatToExe compiled binary 2->30 7 V4dT41mWTo.exe 9 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->22 dropped 10 cmd.exe 1 3 7->10         started        process5 process6 12 extd.exe 2 10->12         started        16 extd.exe 2 10->16         started        18 conhost.exe 10->18         started        20 extd.exe 1 10->20         started        dnsIp7 24 cdn.discordapp.com 162.159.135.233, 443, 49743 CLOUDFLARENETUS United States 12->24 32 Multi AV Scanner detection for dropped file 12->32 26 162.159.129.233, 443, 49750 CLOUDFLARENETUS United States 16->26 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 13:47:06 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yotgb2o4swwstx3mvz2l5ajepgtdslnpcu2ksjuyepam4lwnoga._file
Verdict:
malicious
Similar samples:
01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
RedLineStealer
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
RedLineStealer
aa46ec291334b68e6c96fed8f2b88ce521dd87ff7535a5465537e7d2c36d1539
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 57 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/210929-q3jmesfaf9/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
80.87.192.137:27018
Unpacked files
SH256 hash:
d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c
MD5 hash:
8b950c7b5909bc6ab5169492645d58c0
SHA1 hash:
987eb726373c3c8d23c7a60c16a7134f9d112c5b
Link:
https://www.unpac.me/results/bdfeddf4-5a19-4a56-bfb6-045ea7fd06b5/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d61d33074ee4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642879/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193194/

Comments