MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
SHA3-384 hash: 2e3ad039c704d2319100aee66e6c75441e6e99b1115d4c5458eb4b4fc513b0c97f8211cd1b229c3910823e0b1a0b403a
SHA1 hash: 45dcd0fd7f5278d5086faf0090019c85793dbd20
MD5 hash: 998fe400be0539b1b3c320d73f411dcc
humanhash: texas-failed-item-saturn
File name:998fe400be0539b1b3c320d73f411dcc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:856'576 bytes
First seen:2023-02-11 11:41:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:SMrhy90fsJbiEZ7jA+T5dMYX6of+OVCbjlHhN0px1tQ9PDQRQS6J3kzu:/yJHZ7jA+TIYX6of+OU3381KdRJou
Threatray 12'656 similar samples on MalwareBazaar
TLSH T138051307E6F85132E8B477B018F602831A363D715B35979E678FAD091DB2A60E53272F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.12:4132

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
998fe400be0539b1b3c320d73f411dcc.exe
Verdict:
Malicious activity
Analysis date:
2023-02-11 11:43:46 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f32624eb-d63c-4904-b2c5-2ee6e8f4a03e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/363964/
Detection(s):
Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68109/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63e77f0cd68ac683b34c13da/reports/696bdd8a-6979-460e-b96d-db497d5ac109/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2637c1c-257b-49b8-8de3-d5af938bb855
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172001
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804789 Sample: G6EOh5Jkyj.exe Startdate: 11/02/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 10 other signatures 2->63 9 G6EOh5Jkyj.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\vDA00.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\scr58.exe, PE32 9->49 dropped 18 vDA00.exe 1 4 9->18         started        process5 file6 39 C:\Users\user\AppData\Local\...\vuE80.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\...\njP63.exe, PE32 18->41 dropped 73 Antivirus detection for dropped file 18->73 75 Multi AV Scanner detection for dropped file 18->75 77 Machine Learning detection for dropped file 18->77 22 vuE80.exe 1 4 18->22         started        signatures7 process8 file9 43 C:\Users\user\AppData\Local\...\lVd45.exe, PE32 22->43 dropped 45 C:\Users\user\AppData\Local\...\dcr58.exe, PE32 22->45 dropped 79 Multi AV Scanner detection for dropped file 22->79 81 Machine Learning detection for dropped file 22->81 26 lVd45.exe 1 22->26         started        29 dcr58.exe 5 22->29         started        signatures10 process11 dnsIp12 83 Multi AV Scanner detection for dropped file 26->83 85 Machine Learning detection for dropped file 26->85 87 Writes to foreign memory regions 26->87 95 2 other signatures 26->95 33 AppLaunch.exe 3 26->33         started        37 conhost.exe 26->37         started        55 193.233.20.12, 4132, 49718 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 29->55 51 C:\Users\user\AppData\Local\...\dcr58.exe.log, ASCII 29->51 dropped 89 Detected unpacking (changes PE section rights) 29->89 91 Detected unpacking (overwrites its own PE header) 29->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->93 97 2 other signatures 29->97 file13 signatures14 process15 dnsIp16 53 176.113.115.17, 4132, 49721 SELECTELRU Russian Federation 33->53 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->65 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->67 69 Tries to harvest and steal browser information (history, passwords, etc) 33->69 71 Tries to steal Crypto Currency Wallets 33->71 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 11:42:10 UTC
File Type:
PE (Exe)
Extracted files:
215
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64epajlglvgydaoxvfjy5qsm5vhvtzr2niqfnprlinemsqkflj3q._file
Verdict:
malicious
Similar samples:
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
RedLineStealer
2628ab1c8d488cbf56661f77c6004bb606546b708759dde8f525db983515f5fa
RedLineStealer
6e22d94efa87e5166e89cb33d13758e32524e20820632f06ba8676389e5a0018
RedLineStealer
728680d2b009f96df9c5cc0d867531f437a54352e0e66d67fe2269d0df793cb5
RedLineStealer
b586a85b1fc9d0b8370c88bca896d68b72797ee31e77f0afd080314dd6ca259e
RedLineStealer
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
RedLineStealer
c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7
RedLineStealer
c3459cba29b38190411467d23a91f8e6577c5d3241bbe59858282b1c4a41d3bf
RedLineStealer
eb60c51b5a320c3ae6a4619af7cc49ab89545ce78934362eee1690f88e4f5513
RedLineStealer
+ 12'646 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:crypt1 botnet:dunm botnet:romik discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230211-nt1hgaad8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.12:4132
176.113.115.17:4132
Unpacked files
SH256 hash:
6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38
MD5 hash:
5a5d7c502c8de78f62818cd74dc3fad9
SHA1 hash:
f6a32259e84173fa3e674287fed9f7682d91ed00
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b
MD5 hash:
285e4cae921c512fec71492eaafc27c4
SHA1 hash:
7a1022b0ec66c57a216bd0f842906917e7851130
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
SH256 hash:
1b58cc46582d2af490ccd73e499c060493e03745d063c364e056b37bd27e923a
MD5 hash:
f99f30bc6d50869fd3efb586d707941c
SHA1 hash:
779d52ff7e1606bc249318253906cd380bc02148
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
61a688de9338ed109b7552b0b75741b43292b3e7af68ca7b3b8d1ed9c7e51247
MD5 hash:
86f7e64a6bdc7884eb50ece96ba634ae
SHA1 hash:
698d32b27330ca7b3c979dca94feb88d317dd53c
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
SH256 hash:
a6d85ca3a46d5be8131c39ffcb1af87631f2b2b796a95925ffd9f3e170a3ae65
MD5 hash:
2f6a15519ce6249010e2680479f72725
SHA1 hash:
2b2121891cac6876913420863b551dd079c2a87a
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
SH256 hash:
7d655f75568a4b85d72ec3dfc4d377986da5cb607d869d270ab6c4508e8c447e
MD5 hash:
f23154fa8f56e63e43afa52b14c591eb
SHA1 hash:
cbc6a1e1f266896c055022b93d24bf9fafe33b0a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
SH256 hash:
d483f0ce630aeccd80e3e464f94367bee1ce64be0f3b96ef867127f983191d37
MD5 hash:
20abc9a3b497625f3be3e1a171b4e5b9
SHA1 hash:
67f4270b0420f8db14028ad628a21fab7578fd56
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
SH256 hash:
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
MD5 hash:
998fe400be0539b1b3c320d73f411dcc
SHA1 hash:
45dcd0fd7f5278d5086faf0090019c85793dbd20
Link:
https://www.unpac.me/results/3cb2d027-93e4-491e-bfa3-c4ffea6b17a8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f708f025665d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2535038/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/363964/

Comments