MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af
SHA3-384 hash: 3604f08f9859d1cdb3e174b866b96fba9db593627ce1d9fde417427a8aaae120d681a84b92a985f2daf2bdef9d551d43
SHA1 hash: e4ff0b96d9abadfa27ad215a1251661c827e1dbf
MD5 hash: 4e6bb58eee8e114103551fbb7441fa78
humanhash: cola-rugby-leopard-stream
File name:49P3sz7hwaBCw38mzH6t.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:414'220 bytes
First seen:2021-02-04 02:53:31 UTC
Last seen:2021-02-04 05:04:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13302973d2b656bb42dfc047b36db5ce (1 x RedLineStealer)
ssdeep 6144:qe5wP1wUdn1rLIHGW8cjf08WFGVJSuSw+Coj1hND71mcN5PVV+0poggvvLq0S4D:q8InTr8HGcBWFNCCHDxDNFv+cL8L
Threatray 233 similar samples on MalwareBazaar
TLSH 3594BF0CABB0C035F5F616F48D76C378A5297EA1AB2450CF52D91BEA5B346E1AC31B13
Reporter vm001cn
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49P3sz7hwaBCw38mzH6t.exe
Verdict:
Malicious activity
Analysis date:
2021-02-04 02:54:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/3881d3d7-d2d9-4ebd-851c-0f4c0501e308

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115467/
Detection(s):
SecuriteInfo.com.Artemis4E6BB58EEE8E.20534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Creating a file
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/598677
Signature
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 02:54:08 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
029a8669597543f16beacbcd8fd0eedb0e2ea51a401e5d88bbbe4ef0d0c410c8
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
31239f4455170cbb223b36936011b6573c3a5a86ee32b55f0bba48d95f3c7f6d
RedLineStealer
53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012
RedLineStealer
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
RedLineStealer
a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b
RedLineStealer
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
RedLineStealer
bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4
RedLineStealer
e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd
RedLineStealer
feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
RedLineStealer
+ 223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/210204-hdmn9mahne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3345da2a960b53c708786a5b908d53694bdf5d3a6b56994dbad4185023684de2
MD5 hash:
fb2283d30b3e14d7dd79818312ac6f8a
SHA1 hash:
4e6dd99228b2383a025dc71d0086cbfdcf5739a1
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/a55a5bf0-6cc5-462a-a238-022551944e6d/
SH256 hash:
40e3d67da73522238d239f61b46ed5ce39b33a75ac366fcff83845d8381010a3
MD5 hash:
fafff92af4a5c19a062a0df2ddc5c4c6
SHA1 hash:
3f29dbaa116aa0d6471ab1224764f6f621bb0a6d
Link:
https://www.unpac.me/results/a55a5bf0-6cc5-462a-a238-022551944e6d/
SH256 hash:
989ec82433e68cb9e01411ce0f6d2972f7084583fb87fa60435970d6d8af6d93
MD5 hash:
c1d1627dbe32c97a890b35359a30bd02
SHA1 hash:
391256bee969225d83e1ba9f959f63dbaad57b8e
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/a55a5bf0-6cc5-462a-a238-022551944e6d/
SH256 hash:
f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af
MD5 hash:
4e6bb58eee8e114103551fbb7441fa78
SHA1 hash:
e4ff0b96d9abadfa27ad215a1251661c827e1dbf
Link:
https://www.unpac.me/results/a55a5bf0-6cc5-462a-a238-022551944e6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115467/

Comments