MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
SHA3-384 hash:	a69439d0ba14d2833546da6fda5a5e7d183965f70adbf8e330784d9bda39e2b86fca76a668df2557a6652a97fe7d8d49
SHA1 hash:	a749e2c90b313174a91a6e51db6bc8e6dc00f37e
MD5 hash:	dc0d6257af6ac44eb10333a282b0f738
humanhash:	five-fanta-louisiana-yellow
File name:	_@ytlogsbot.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	130'048 bytes
First seen:	2023-07-19 03:33:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:CaxcnVHT1u/o8kJ6O+fbhKOF8FFD/WD/38VFhmLjf0bV7q/OOPWsYgibfbFDKsR0:HxcZZFqzhKp7OjA/mnMIG8YgafJl0
Threatray	713 similar samples on MalwareBazaar
TLSH	T1BBD34B9537D98A29E5FD0B74A5B1002987F0F8236511E79F6FC1B0DF1E31BC0B6126AA
TrID	59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.6% (.SCR) Windows screen saver (13097/50/3) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	30e4c0d8b686e464 (27 x RedLineStealer, 2 x N-W0rm)
Reporter	JAMESWT_WT
Tags:	exe FruitMiX RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://fundovidaips.com/download/File_pass1234.7z

Verdict:

Malicious activity

Analysis date:

2023-07-18 20:16:02 UTC

Tags:

privateloader evasion opendir loader risepro stealer payload fabookie redline rat amadey trojan gcleaner smoke povertystealer arkei vidar

Link:

https://app.any.run/tasks/a8e8c813-2446-4c32-98bd-939115fbad34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/424413/

Detection(s):

Sanesecurity.Malware.28889.FZF.UNOFFICIAL

Win.Trojan.Redline-9938775-1

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex control lolbin packed packed redline replace stealer

Link:

https://www.filescan.io/uploads/64b759abf52c3e1a014a60f9/reports/c22b6053-6969-4f87-bcb9-52c241eb6814/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47ba4cda-901d-410c-a934-337a2b4acd21

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1275603

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-06-25 18:14:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7aaqh4vdwgo4byfsn2coj4szwxqhejsspqdleu7kiqojr3vzraea._file

Verdict:

malicious

RedLineStealer

2f2b97ab77736a86eeb79599be1137c99befab80ba2d1af6a19a9f5ee664fecc

RedLineStealer

331e9d9ebbdb39425d81d5715bc1884e7f9c4a32c1db9ee81b28b8f51c8d472c

RedLineStealer

348021154da50f07357caad1ff21d7661aa032a18b1b1be5081ab5f9009790c5

RedLineStealer

8cff02b8ebb50f1e9719494a53057017da3de1f7d1cf1a17d3df8614d2a6962d

RedLineStealer

9f501e75fa1f86aca08cecdd4b3fe11676a0aebac9f34cbbbfb12f43a2a075ec

RedLineStealer

b3f3bb14379a2bd38947031d90c8408ea308009de631e9132d643b20ee645a5c

RedLineStealer

be32eef2edd391e6ba9c877a7181c667e4791a7899ee054097605daf707cc346

RedLineStealer

c4cc00b65af58598157eee87eca86b64de4138a3b449883ea3c1a0c33c3287c1

RedLineStealer

ff59399142eebc8e4829b279c9521fc671d3ccff737f9b236d18c50f349599b0

RedLineStealer

+ 703 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@ytlogsbot discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230719-d4rm7sgb9v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

176.123.9.85:16482

Unpacked files

SH256 hash:

f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

MD5 hash:

dc0d6257af6ac44eb10333a282b0f738

SHA1 hash:

a749e2c90b313174a91a6e51db6bc8e6dc00f37e

Detections:

redline

Link:

https://www.unpac.me/results/ba810893-1685-476e-9eca-c08a69507ed0/

Parent samples :

030ee4d82518139a21800e8c6946f46cc251821e9a738a78cfca30a18f0e98a9
fd31a663216bfb8143db8ea956edda60157228e4e26abd15724d28e34f435c66
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f80103f2a3b1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/424413/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample