MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e
SHA3-384 hash: de92c8f11b4a8fc1b6d722419ea7563144dc063280e955113ba41c7d918364fd1b28fb6a8662f6ba643eac6e7c80fb83
SHA1 hash: 5dcc4998f9bd9629675377e7fd371b3126e32842
MD5 hash: f38c67037dc643ac9e896f13047867da
humanhash: seventeen-violet-august-lamp
File name:f38c67037dc643ac9e896f13047867da.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:279'042 bytes
First seen:2023-06-20 06:11:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afd3d49c95dff180e14b1d2081e826d0 (44 x RedLineStealer, 30 x Amadey)
ssdeep 6144:Gn1LI6Z2eQ0FKHgKNRBH13TLxNP9T0x+SRMp:2I65QzgMLxNFYv
Threatray 1'946 similar samples on MalwareBazaar
TLSH T10B544B0FB5C50336E471103D2BB06956ECEDBC910D34EDB73A6CC329156ABE2A9690DE
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.97.73.128:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f38c67037dc643ac9e896f13047867da.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 07:06:46 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/c68bf6e6-588c-4445-bb7f-9da49423974d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400781/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.16001.13107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/649143373067ea15b656807a/reports/b2d17bf7-1902-4b9c-bd0f-a7f986c510b2/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc0e09cc-869e-4879-85a8-9dddbdc7d6d3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258576
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 04:38:01 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7aqtpavkjlgyep6vqzw672aw772tbaujyz6xgc5j6uvhzeweaqxa._file
Verdict:
malicious
Similar samples:
146ba9f41fa5df4ea395897c82cdf473edb747fa681c10d856265eaa013a3fb1
RedLineStealer
1864b758286146998d8cee8145f71eb2206839bb5bce240cf84fad01eaf9bff4
RedLineStealer
19e8083ff0290480e03d8907de6652320ec08f22ab1439ba65bebcca2c3daa19
RedLineStealer
20720467748d05be1ab69c778a39903853055c152611ad382598289fbb477c14
RedLineStealer
28b54683c8db0b3edeb068646b0aa206b84363c38d62597597bd9a8e5dac9dc7
RedLineStealer
367fbc78ead2f3e3b9751423f0f6662b6ded68d3b312e6fd862e36bb3070150e
RedLineStealer
4d81c008321f374d09d1e03536ee3c267dd76941e38c6cf4d89648eb247d22b4
RedLineStealer
5b8d7571928fa4985caf43f8a1b91df34443cd9d18f3df76a10b3f67683d3054
RedLineStealer
a8e255934640a077ca242c52d0cbfc811255a31c639881f05f949a52f8c86211
RedLineStealer
db2216b7d3c61c95d041079ca906856e144e924710517a4064113118b036ac6b
RedLineStealer
+ 1'936 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:furga discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230620-gx614abd7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
83.97.73.128:19071
Unpacked files
SH256 hash:
8f2fb8a1e91dc12ce48f55d8ef88f65698e1cca98fec460fb50074a1e8c7ef1c
MD5 hash:
b9a7cbf7b0a540e0ba208c60c712f4a2
SHA1 hash:
d65a9c122c0446a6536e15745f774ddb2124a3e0
Link:
https://www.unpac.me/results/9bf0400f-44b4-4386-998e-48ad91268400/
SH256 hash:
2fb840b21dddf248d6548111c8ba06d30b74ec7b697a8fdb2941cda9c1f63aec
MD5 hash:
8ad298a4d3d4ecb49273603c5f0a255f
SHA1 hash:
95312c176dfa78bfa40290ef010be069b78867fc
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9bf0400f-44b4-4386-998e-48ad91268400/
Parent samples :
23ed929b0a898ba1ed493bf06f9463f36ef98ae443dce8b0c35f061abcbc6637
cf8ca893e75ee9e7274f3d4ac7b2547f3e8bb6b1caf789804787f3884bd40dca
d92aba0f5f4c377753aa5dccf2a2dc7d64fa5fab5bf33dbc67bbb13e50a74a30
e3f6dfc1fe7f7174216c3e06c60b7443e60cc52d6f50d42451ef7177388b7726
2a87658b07d37aef9321625344994ed0c7e8163f243ce624ba9f5b2768cb14f4
340305a8de12c982e01e0be406d07f895d202355ddd53b870b9d83c14ea3d150
cc51272d75f089b207bb35bdbd3dd824183094731a090316c1176bbbf3621b0f
b5b127766fb45a877023e9bad1ce2ff59232d6e57a0aa901855bec7de2ae64dc
ddeb3ad3b0976f33570793a6393c483b482fa0625b3ee8d0f79ab5d2227f44d4
f30bce701bc05810e7c7873d7a8eee81c6054147593c3c09a9b5f31b403bf7e6
5614e3eabed5fabac6c80ccc888dce6df456d19165a1a18234604acf47019650
40e0c600d7cce1266068456274a50cda485bf20632bc5d072b780a0cb423f7cb
3b7e4f66c4398814f9c83b444dcc14b5ba2e407f00c411a9059247b40266d4d6
4fc91338a68b0d910c0cda912862387fd02b96e96be18c58a895d078005a5207
173dab5f308f27a0e91706ba7cca550ad73d6d4806480099692f4f498a8b2b4d
3023836b37a47b6599e276d2d7553299e07a1c372c40d47659d6c041595b1aa6
bd5eefb71c71dcf1dc8c90a4607417ab1be8e947b399baac1721b40e7cb7cb04
9ab55d3242777bc911d575af8f1a91d891d4fce2f979eabfdcff158a8a78d6da
c89226168e9dd1d256d85a72bb252cda314b6c8c4aad45a5cf30c63ba899518e
2f147b494d861fffbcac1e6a6a1d06e6b0580e1477d3b0baf1cdc32cc855c1c2
7ab8dcc49e4eb0f926cc8f0c2e73b6a9a6feab0d722a1958782b017e4f40b5bc
6e5e27bc92b93de549b7aa49c8121317d0a69d8c9656c7654ddd224b3aa88dd9
8f8efee21ad5113fd3fba4b5307a34e637bdc2baa5d1831115ec76a77340324d
bfab5dba968ea32cfebdfa250f4a7e46e6340f9d45761fb896d970312cc292ac
57b7e6ca23498eff3f900f41d70342cec7f2fddeea52ff389ff05c75168ec0bb
367fbc78ead2f3e3b9751423f0f6662b6ded68d3b312e6fd862e36bb3070150e
28b54683c8db0b3edeb068646b0aa206b84363c38d62597597bd9a8e5dac9dc7
94ebb573c419aa5212d6bb085568c0c0f63dfb98fc01b9296ef233d2d3e8ed09
96e45d33cf7e671adafb99d4e650d51930eff09ba7397b0ad0b40f8b796f27a3
07087ebf2f3a9c3376a5e5eae1e17fdd69cd63b8a1a1cfdc74d4c035114cceed
1b13df7970dd431fb6ffded3d14c2d2874d4296f2be5e802b119e2dbf128dff0
90531a072264396851ce29352bf7dd57b4fa45bf4046d99feb45bba12785f44e
d2808870a3e817af46ddfec49591a8194fe0e16a18c8bfea4fbdbcb8ad01ea9b
7233015fc17883e2b8d9cdfae497cc88f61045be329736360dcf911f8054401a
5f47fd8fabbef15a179233c5804fda348ac5336c59a81700b7b2fee97daa86d7
5c2c9a566eea71e269aea70ec4480f8580be7fb8ed90525c510ecaf78959530f
42e33f88b96933f3ca961f17c2d6dddb75ef0a12d63445050bab49932ceac31c
faadfbb4f2b75ce0b608f44582390c2eeac4c3a91e5d6aba2d1d917809e1bddf
35ca9e1bbc346e37654a30f90147563d54fe2026310aa8e27869fb5a36943c43
34bc45f895d67407509a698a1356bb6b83afee483b48776853a449918900e40f
0a5b874c927048ad194cd1150972f130aa2fa789de76f93e822408a291dc5f77
d2f6db105fe997f60739a7b253dc4d863d35a41105c36bfd16a7a26a5a37b808
d70c37c5571bad06fb22bcec1ced7b9d2c34729314fb7012069ec7a3918833af
1864b758286146998d8cee8145f71eb2206839bb5bce240cf84fad01eaf9bff4
5b8d7571928fa4985caf43f8a1b91df34443cd9d18f3df76a10b3f67683d3054
13bd233a9efff1d755172c4548e3d1b78a881f0c911ab25129c38d8c47034a40
c56e4fccecbc961669a5c7c1ece545b0d37f3dd9f72d210cae2662c38664953b
c4fd7505597f3cc67d4b52ddbbf03a5a53b60a318abb2b35e5a9cc97f592eff0
19e8083ff0290480e03d8907de6652320ec08f22ab1439ba65bebcca2c3daa19
e6e9b2996939b2b53882d860a20106ac2e0f8098cdb8409974721fe59cf5cef1
146ba9f41fa5df4ea395897c82cdf473edb747fa681c10d856265eaa013a3fb1
20720467748d05be1ab69c778a39903853055c152611ad382598289fbb477c14
21fad8616890cf4f837256c1f08a7253eb2c635eda856b4bf0bdcf757fe11df8
80a91ba5de3ca86da464eec7430f10e2f41af050d2b2664819552e31b9cfc9ad
2887281c3d63a325fbce29baf2743229245d8c3d60c2f35c58e811c047d3a445
33a88fe6766c7690af6348f7ab5799eba539586cadede6b4e85ed16594aaf236
40904e129f4f24f277e69da389cfef0820f0d05869acb82855cb98f9b319c7b0
ea31ada5d78734e8ea320b458a5a3e60b573d37382f199d3b591615c966a415e
99b6c2cf4b3073ede4392faed4f59f11f224901d1b6f832093761dea098b49c9
9506615499fa08a990eec75493cbcec5368b00cf08298dc5fd12ff79f2c6869b
4ac8b7478cf954c40b4d8c886e88dfb3342a96828ff547327310684daca98f08
abe0236898b49da34b64f190b51e95f8609259a15fef22dfbcc799c836b21e7b
626cbac6d8603826f268fea3c3ba71a6f29f4069ec7c29dfac8183c60c836b4f
f737cf2b95b50ba16f808732cb02a4cba7ca1e8b39f7a6fa51a34ac3f4ee5314
7bc7a4ba0ace6c1032e997bcd47aeacb68639ba09be33c148fddda8deced57b5
623d8ac5fc8baa72797d2c89a1753de8a1d0dfadb8f1de986c76189dd11991bd
90b3d2326db31030d665e6c2cce47ed2877bc579d236855c96f04b962c4a29f7
3f8cc86cb6a92b2702ae54f8c712a84968b821ff922bd6e0f236afe288d72809
8f346c975ebe1bb1d7183cde56d4e579b0d6ebbca44c929d62d0be48a3bfd3a9
4d81c008321f374d09d1e03536ee3c267dd76941e38c6cf4d89648eb247d22b4
76c3200cede3e533da79e52b9aeff692108fcfd55f4452879581b7d8f0d8ccda
cac03a778201597d833fa8be6f5e6bde1e5b4a17d067b18e0e738f596d2290cf
4d26059fa0bf8b4f665f15a2a48c96545ae60e53d5725f926c4ee031fa0db54c
b12b32bf3987407b920cbe3b2460f9b3af0fc38e5526c7daaa42c1cd62ec03b7
ed3ea48f83361d11ae059e7e2ee11fd209ad83614aef69c751b78af60edf744d
d53d10752ff7b2a821d41237a8584bb79d4d347885e96dae598109cc78e1e1dd
4e5ce65dd777571d3ec827d72ff0c1e203b6ab5e09902fe1ea81493d3742957c
00efdb259f7bf7cbda59d7ebd883c50e5206cb3b55ad583b2c81399f235786b7
6f93de9da5c5a04fee964e0b5802108a15a743e507bb98218a383e2eee7a0df0
cd4e99627ab0b38147474920a3189472e8900c592cc5741e1df00a17f4215cf9
329b6335303bf937b9b77a5602eaa3f9f1b828b10d719134ea001cf8ffd4bae8
67d131acc5a819a9d4d4a4396a16d5cde9159e99e9336ff84d782d89d22a0517
bc800d3ff305ac703bafc39f8e4613905b5fc4e95b8bacfb5625ca01117a6ee0
7f7bfa04da691b74896851c660e6d083413ded0b3148ea7874688d077afaf221
366fba5c072eee8008ce61faa34698959fe78d89060614eb091542172ab09224
f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e
26e492550e4476fd83347c42aad2a01a9aa9a016bb2d4f5b4fa52590bff80725
2f54b9ea94d211852401680c81e26ebfa9175c882d21a06d6fbc9b29ecafadd8
db2216b7d3c61c95d041079ca906856e144e924710517a4064113118b036ac6b
a8e255934640a077ca242c52d0cbfc811255a31c639881f05f949a52f8c86211
4c0d2a24687dffc2482e0c1f8615073a8b98b2a138435b9118677eabed5394fb
d485c3cdf5f5e8389541664e4ba7d259800f5026428cf563d9556b0dd9348da2
578ad0360f121d1259108e0d78f80316884f7a96e5db48d5effda67c174f3512
34e275132ad3a5734f4f00dd79d3f3cb6c828daa578901ca0805ab261070a1dc
e1be7e259c026d9165d24c215e87a06d95a9130c8c17b8d7da9e31ee727835ed
056cd4d550294b978e510539d2ff730e5a5d00b7c2421c0c4e24f78d04e02921
82647977fc8c36f765a0ba91e7947cb3c12b9a97659eb52e7241474fcde3b7a6
acff677c0a850ac3658544ae2f2357b2818cd0dfcaef96db5605d6ec1147aa47
a9a19fbfbdcee1fb98941638d60b3a09236d799417302e3dd252516284bef175
00602c28afac5273634943fec13353ca7efbe28379f32d1904c6e6b5793ac3ec
5b53f29e62c6e358671913c03e96e4c6e9c01f63c8344e552f54bb8b5141ca34
8f29df372ea828f3a52b2f89d3b158fc55590d76641d4c64277c9a97006c9ac6
a0499f829520323d989f05da98f65716c091f32bfe55ec66c148e3d22ae26d7c
fc036053c8d116d9afa0cf900cf326162b8537d8de26274571709ded1b5e4c0e
6cd4680ef59dc3dc716dda8080b3f828862176c49296d13837877257cd388494
4cee2daed5ef22cdad5648d34a17fb0eccd80d0a9904f94a611885558ad0ab79
34b36492ce022c7e552d06271b2f80f4a7ec16165485a99d66a72e9520953c98
8e9ae899ab2347452d71dfa4c2c028e13973b6569fd4ccb3021b7f41c011aca7
1e86ba19a1c4464b3d7d7158b36a4715eabc87c281373535069ecf534c0e6d3f
0d36c927de9511ab07012226e89fc7881466995ecf177d53978dcdb0992d6f59
d57c4024e38380f7ea82beb5f01fa6c36e15178cd228802466b3f742dc41e834
d14eeac9881ae85f200e88f1d3085a40687e2b97b251efe28ad6e3f486b96424
24856252455774497eb59baff612ce107ec6c65c50cb62c76f4950b7b565b00d
63d5581ee1f0c07a80d9eaa1d039310ea95b67268fdd81f1b1de0d7dfea4e685
4e9984008a77c2ced3cb4d3377a1fd34b4fbae0b646af780ca6894f93d0e9ce7
23282469eeda3bf1c95970331cb767bc6bec08378544513eafb61b4a8d21f0c6
e9f3ec46387776b505948a3e6dc2f327edb466fec966a43124f950d34d572b58
bfa09378fbf5c19facce069caed42b282e1a137e9c0570b10196bafebcb7bda2
bcf5157cb913dee02e6af79aa4fd3470b17f49e2cc06169b9f9b900cf4f0f9f6
ea52680e80eb9e200c61abd755587ec2fd5ed477e8093dbcd8d75200be09ac0d
SH256 hash:
f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e
MD5 hash:
f38c67037dc643ac9e896f13047867da
SHA1 hash:
5dcc4998f9bd9629675377e7fd371b3126e32842
Link:
https://www.unpac.me/results/9bf0400f-44b4-4386-998e-48ad91268400/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8213782aa4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f8213782aa4acd823fd5866defe816fff5308289c67d730ba9f52a7c92c4042e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2654756/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400781/

Comments