MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8097338dd618c81a2b6a1a7079fb56adc35b966694781460b5c2fa429e1bd1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	d8097338dd618c81a2b6a1a7079fb56adc35b966694781460b5c2fa429e1bd1e
SHA3-384 hash:	3738c4ec91b65313b5b3984660d822a9a4cdca2929ffa3b5b3122c019f4660373ab0cb52a1b05e267003ccd20d7b82c6
SHA1 hash:	a4f051ff8918c13db4547c28740d07986bf02027
MD5 hash:	ccf19e64eb4a33f7badc354687df2590
humanhash:	comet-golf-three-quiet
File name:	d8097338dd618c81a2b6a1a7079fb56adc35b96669478.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	632'344 bytes
First seen:	2022-02-05 17:20:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:jA9+bNvJ8R4E/JGZz/rGHPgzE1oISHz9n:jjbNvJe7IZ33V/p
Threatray	4'667 similar samples on MalwareBazaar
TLSH	T1E1D4D0132B9485CAD9A2DFF14E3459939FE78A631C13EA0A1FE834B70D35B9A8D35D01
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.92.73.104:42704

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.92.73.104:42704	https://threatfox.abuse.ch/ioc/379396/

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d8097338dd618c81a2b6a1a7079fb56adc35b96669478.exe

Verdict:

Malicious activity

Analysis date:

2022-02-05 17:33:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/706bc5a1-ee5a-4b83-9435-d6dee2b6d3ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/233613/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.83418.27496.1470.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a window

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed update.exe

Link:

https://www.filescan.io/uploads/61feb201a72f86da695e7708/reports/cbd47a48-9770-4b3b-a07a-a6eb62f70bd0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a8c9347-1e42-408c-a7c6-6fddb034f818

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934540

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-05 17:21:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 43 (23.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3aexgog5mggidivwugtqph5vnlodlolgnfdycrqllqx2ikpbxupa._file

Verdict:

malicious

RedLineStealer

1c4784eb94656e7e8a3dc95812cb80b2f01c87a2a9407d8b13c2c48ecf0d22a3

RedLineStealer

27436a1a6690b6ebcf8d6022a95e35f02a57b7132c7b6e5213e9c41167691f11

RedLineStealer

5e7f31fa6c2e6f4f924ba6aa1c8ed9abc1f9cb66cecf89d46d8177a834a86ce1

RedLineStealer

9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d

RedLineStealer

a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5

RedLineStealer

ff61854c347ac02b4832092f146458fd480edee1a7b09114b754ffbb7a959db8

RedLineStealer

+ 4'657 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:gmb222 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220205-vwz32sdhej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Downloads MZ/PE file

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.92.73.104:42704

Unpacked files

SH256 hash:

d8097338dd618c81a2b6a1a7079fb56adc35b966694781460b5c2fa429e1bd1e

MD5 hash:

ccf19e64eb4a33f7badc354687df2590

SHA1 hash:

a4f051ff8918c13db4547c28740d07986bf02027

Link:

https://www.unpac.me/results/37482fa1-417a-4b7c-9259-a8fce674da00/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8097338dd618c81a2b6a1a7079fb56adc35b966694781460b5c2fa429e1bd1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Encoded_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/233613/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample