MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef72a8ead2feee983f6d9b8acae54da2f11bb95e54b54b5e244a4a6e8f81f3b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	ef72a8ead2feee983f6d9b8acae54da2f11bb95e54b54b5e244a4a6e8f81f3b1
SHA3-384 hash:	b08f31e028b82826e6873d5abd7cced4fe0b53b6f8e2a4be69a4f34e3a3ae1b9cac2dc0171dc0d762027d405e8a729fe
SHA1 hash:	00c9cdd93f058fc964823b4a7a892009ce7ee906
MD5 hash:	7764d60af970a9e6e4b7b176a14017fa
humanhash:	maryland-march-wolfram-apart
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	182'272 bytes
First seen:	2022-10-28 20:22:31 UTC
Last seen:	2022-10-29 06:16:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:1gtE+wfXTb/1OObkV9VdFCVZOfm8EfkOaT6h0URvUCOM+9C6OHONgAyvpR5IYXVR:QwfDb97k3TxET66bvUU+9NOHONgAA9FR
Threatray	819 similar samples on MalwareBazaar
TLSH	T1E304E05D33902A2DC618217E18A352C83A31D83EA0BFE7ABD64D513EEE523E917537C5
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	81808cbee4e6e6f4 (2 x Formbook, 1 x RedLineStealer, 1 x Emotet)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc758682806_652711432?hash=ckDSOEJqP8D42jCFldNzJzAfsmXebTShFXHbMyfuZ7s&dl=G42TQNRYGI4DANQ:1666988409:K88EK1JQSqhYQ3dioz6nckLWmdzCPsw1NqEPO5Js8YP&api=1&no_preview=1#lll_1

Intelligence

File Origin

# of uploads :

273

# of downloads :

326

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-28 20:25:09 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/629aa887-9a49-40f9-bd22-5bf0d755199c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/325640/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Using the Windows Management Instrumentation requests

Creating a file

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm obfuscated packed

Link:

https://www.filescan.io/uploads/635c3a29736e9d884f0d7c15/reports/a0c46116-957e-488c-bf34-3de0b62dedc7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be1500fd-4b71-46a6-b491-e89d8dd37102

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1100623

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef72a8ead2feee983f6d9b8acae54da2f11bb95e54b54b5e244a4a6e8f81f3b1/

Threat name:

ByteCode-MSIL.Trojan.Barys

Status:

Malicious

First seen:

2022-10-28 21:18:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=55zkr2ws73xjqp3ntofmvzknulyrxok6ks2uwxrejjfg5d4b6oyq._file

Verdict:

malicious

RedLineStealer

2c8f69f426ca347b5fd484bab7471ea9c1f44ecb1dfb1d3ab1b09b3bed9579fa

RedLineStealer

2e753221ff38b8dbebf919dcc0517ac22a1f4c99269fbf1cf7495278981abac8

RedLineStealer

3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5

RedLineStealer

a5e552824ebfb27e1946a69981dc84841cc2b21b069a8dd8deff0b0ceedb43a8

RedLineStealer

ac1efc1efc44a06910079a91f82d5d7a1da19c644e9ae47211596e0a18f091e5

RedLineStealer

+ 809 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:installs infostealer spyware

Link:

https://tria.ge/reports/221028-y54z5sead8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

95.216.170.17:29995

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5262decf-41b9-4ef6-948f-c32b6fda7544

Unpacked files

SH256 hash:

2ec987988d90af5102f99cbe336af29ae7f9214299687efb04b17fe10ccb5ce4

MD5 hash:

ed6464d765df237ba1d350f4edd3e5df

SHA1 hash:

d52cd48fb5879d62027e0f45e55a7dd8c00be8b5

Detections:

redline

Link:

https://www.unpac.me/results/c7b51084-c94c-472c-a0bb-ea15c82d96bc/

SH256 hash:

ef72a8ead2feee983f6d9b8acae54da2f11bb95e54b54b5e244a4a6e8f81f3b1

MD5 hash:

7764d60af970a9e6e4b7b176a14017fa

SHA1 hash:

00c9cdd93f058fc964823b4a7a892009ce7ee906

Link:

https://www.unpac.me/results/c7b51084-c94c-472c-a0bb-ea15c82d96bc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef72a8ead2feee983f6d9b8acae54da2f11bb95e54b54b5e244a4a6e8f81f3b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/325640/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample