MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb57b6f06c6f3a7f4f0582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb57b6f06c6f3a7f4f0582
SHA3-384 hash: 840e73f4e0b4c883daec4c96a75db692cc1bcda1234cec90aacf3909732398e201f1f706e3395903fb9ce6bc19c80c37
SHA1 hash: 5e53f76d36cf8ff033b439d35d4c9e611eb2df3f
MD5 hash: b64c986a71041d33480e606f7a4a3522
humanhash: september-alpha-item-low
File name:ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:984'576 bytes
First seen:2022-10-10 14:40:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8efe9e1c8e70e8c7b0fd0807b176579c (1 x RedLineStealer)
ssdeep 12288:A0zNX3tuamI3X8LxJGKWR1VUeVGekrQB+71x4OxCPaUtVSX3x7FRS8Hy1Qmty/:AOJ13X8vGKWxhGlrQOzxC/tVSn52Rb
Threatray 193 similar samples on MalwareBazaar
TLSH T1C125BF52F7D08C33C53729784C0B97A5ADEBBA112E2C59865BE42D4C2F39AC0BD351A3
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon f0f0f0e3e2f2f070 (1 x RedLineStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
89.208.106.66:4691

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.208.106.66:4691 https://threatfox.abuse.ch/ioc/872764/

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318511/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42279/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/63442f0081eef2a234c4b559/reports/58ddfd25-38d0-449c-966b-1b2e000d7fe6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a32886f4-dbc0-4f94-9df3-b5d382465115
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1087107
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb57b6f06c6f3a7f4f0582/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 14:41:11 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55jkahoyqqz25b54cc5klwklukscvujpglfvpnxqnrxtu72pawba._file
Verdict:
malicious
Similar samples:
0866f6ad4a9533fb2f28aab0e42c72c8127c4f7fbd5fea2332747e0ddc169da7
RedLineStealer
42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197
RedLineStealer
7889fbae0f292b70c50119b5069bb64425189c59c818336bb49c9c5638edbe03
RedLineStealer
a6fc491d6d097332f35d3ffaa4a31ecafd1b114cdccee11f627e3bde36a7bfd3
RedLineStealer
bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
RedLineStealer
d633169a59bd0ecaeda8ed764374657efdf49d963f66f8949efcb2549707d498
RedLineStealer
f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340
RedLineStealer
+ 183 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery spyware stealer trojan
Link:
https://tria.ge/reports/221010-r2e4aacbg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6192ec57-282d-44b1-a20a-5f58f48f3603
Unpacked files
SH256 hash:
753ee821f36ef39de1442441aec4b8f860d3d1ed319fad9ae275ce07ca12f943
MD5 hash:
91575ae64ae47b77c15af6138ccb821c
SHA1 hash:
761fcf73c7b4dfb1c05fa82651f925677c9dd2cc
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/0d5f09cd-a561-4d8a-a500-e433a133321b/
SH256 hash:
ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb57b6f06c6f3a7f4f0582
MD5 hash:
b64c986a71041d33480e606f7a4a3522
SHA1 hash:
5e53f76d36cf8ff033b439d35d4c9e611eb2df3f
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/0d5f09cd-a561-4d8a-a500-e433a133321b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef52a01dd884/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.62
Link:
https://yomi.yoroi.company/submissions/ef52a01dd88433ae87bc10baa5d94ba2a42ad12f32cb57b6f06c6f3a7f4f0582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318511/

Comments