MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787
SHA3-384 hash:	28ba74f1954d556524bc5b6758e81fc7238dcb1c35a0b0de1d9a108f64d87a04e561c1f04d6e59b65dc9c8431dc4dfa3
SHA1 hash:	1da985dfd22cb6a3e7438d75e4e19215920e6f90
MD5 hash:	3bfed114daa6de23e092144a11f52205
humanhash:	november-carbon-three-washington
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	333'824 bytes
First seen:	2023-08-11 12:02:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bdd66bf8468b2629838c567887e30c7e (1 x RedLineStealer)
ssdeep	6144:5NEt5LITfRNJ+xZlJD2g5EgnyBHfoDHw:5ukTfRN4r2g5MiDQ
Threatray	547 similar samples on MalwareBazaar
TLSH	T15B64F1217792C072C69B14304966DBB0AA7FF8711578494737E81B7E9F322D19B3934E
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	041011020c204000 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://199.247.24.9:3002/file.exe

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-11 12:03:05 UTC

Tags:

redline

Link:

https://app.any.run/tasks/1a5449d8-bcb0-4283-9019-7f30226acf93

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442123/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102512/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64d623772a1db2a88ac98c31/reports/36b71a24-39af-4541-be37-7b47ac136108/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/afe51dc4-6128-4b2e-b31a-6249a9b27a39

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1289981

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-08-11 12:03:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6cdqxcbuzufjqgpnjwelbw5w6od6pko3mxa2tqa2ngklooaza6dq._file

Verdict:

malicious

RedLineStealer

07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd

RedLineStealer

4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209

RedLineStealer

87c9b723dac804469ebc6e59f5a3d9b141dd02fe2315a417e51490325b0a54a0

RedLineStealer

8edaf9520abe8248af7bd7855f3dac020927aba601e46e92afe39b0a7cab5565

RedLineStealer

aaa71d5bd9256d33f9ab0f434a4b773867f106bf0be7a2de16749e4994feb3c8

RedLineStealer

d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713

RedLineStealer

de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b

RedLineStealer

e3dc9fb2eb85704dfcf401f7fd838fd2149667fa2573c608aa933ed85036faf4

RedLineStealer

e7f7aba3aa560f0e301fb6d8451914efd3c86c88be4cd1f8a8eb994d58ceb3c5

RedLineStealer

+ 537 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer

Link:

https://tria.ge/reports/230811-n7116aef3w/

Behaviour

RedLine

Malware Config

C2 Extraction:

136.244.98.226:33587

Unpacked files

SH256 hash:

9d62740022ba124e7df3e4d7dcd34f372252035147e987314e5b15a392720387

MD5 hash:

a2352b8794ef5d02bf5ebc16deecac99

SHA1 hash:

ef8c63963a27bd9ce16e29cc4b9dccba136a9f78

Link:

https://www.unpac.me/results/a5f88c42-df98-4310-9f7c-7f66df863daa/

SH256 hash:

9be679dc76229484610107de54712694dc5864b8afec6b08a76966825ee49bf0

MD5 hash:

96a98974d899237ff152c55d33fc5a65

SHA1 hash:

90688855319dcee5dbe15b6efda632b62e4e9782

Detections:

redline

Link:

https://www.unpac.me/results/a5f88c42-df98-4310-9f7c-7f66df863daa/

SH256 hash:

3f6f2de0b18a31161336d31610584e2ec749878ba11c2439b9105a1d4a38db80

MD5 hash:

e846855b77ae810a56de25985bf62959

SHA1 hash:

82d9c22dad6e8d493c88a1516fe560858157424c

Link:

https://www.unpac.me/results/a5f88c42-df98-4310-9f7c-7f66df863daa/

SH256 hash:

9a82702a0fe48942d04a646c67905a9d6b2b403b8f554874c132b622ee68d4df

MD5 hash:

6a953264861724b3c95b39c8d1f46d55

SHA1 hash:

3fb9468aaa71aa0456e265fe28a4b97baa83b46c

Detections:

redline

Link:

https://www.unpac.me/results/a5f88c42-df98-4310-9f7c-7f66df863daa/

SH256 hash:

f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787

MD5 hash:

3bfed114daa6de23e092144a11f52205

SHA1 hash:

1da985dfd22cb6a3e7438d75e4e19215920e6f90

Link:

https://www.unpac.me/results/a5f88c42-df98-4310-9f7c-7f66df863daa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/442123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample