MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e
SHA3-384 hash: 5e40537d76b8c77cc217f43217bbbafb07833f9a4716c6a6b3d38e2b0f37d8bc660c3ae513fdac5e90c8fee6358be007
SHA1 hash: 25316dff51b674a33b4db6aa4187477f1bcfb72f
MD5 hash: a7e9e9cf220846cf4886665f5dca877d
humanhash: neptune-three-blossom-oregon
File name:a7e9e9cf220846cf4886665f5dca877d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:380'416 bytes
First seen:2020-12-25 08:46:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (260 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:XLiejTLJga/d4hrvaRXyLt4+Inr4D3svRfDvEfiaPuj5gS83kzteragZVr8DnyXR:XN1L/dOjaRiLt4rr4D3iIiF2xRRDAet3
TLSH 7C84239646382B87C9302C760C3B8C65236AE85369FFD36DFCD343E176B954A96133A1
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'054
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769
Verdict:
Malicious activity
Analysis date:
2020-12-24 21:33:55 UTC
Tags:
evasion loader rat redline
Link:
https://app.any.run/tasks/59398913-ecf1-42cc-b63a-f99d19b1e10a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109410/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen2.60931.27028.31981.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a file
Launching a process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/569985
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e/
Threat name:
Win32.Trojan.Zenpack
Create hunting rule
Status:
Malicious
First seen:
2020-12-25 02:27:17 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dabuli3db5o4gtlr7d4xbzwts6jedtmfchvhlzvmkd4wpppcb7a._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201225-4rln6pgx72/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e
MD5 hash:
a7e9e9cf220846cf4886665f5dca877d
SHA1 hash:
25316dff51b674a33b4db6aa4187477f1bcfb72f
Link:
https://www.unpac.me/results/473f8c75-0da2-4e09-a87d-fe14e28d71f8/
SH256 hash:
598da4d180770413fd16bb1ffa76b8794dd7b0c29f3696bf2aa5accbd3d40f2b
MD5 hash:
154f3f5ef2ccfa485ac6234006daf7fa
SHA1 hash:
7213621e3e31bb70a315713b0345c0562073afaa
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/473f8c75-0da2-4e09-a87d-fe14e28d71f8/
SH256 hash:
3c338b87fab65495e0226207dc61ad770c01cd4a8862eabe74c088466d36b71c
MD5 hash:
44f2426d8aab817a4cba81d946446ad7
SHA1 hash:
dc0c509ff25a45c5bdb6233e05197803a2bf912d
Link:
https://www.unpac.me/results/473f8c75-0da2-4e09-a87d-fe14e28d71f8/
SH256 hash:
fbe20fb63e2a4d474a61d937eeeec2785edf95badf7dcb0344db805315980c68
MD5 hash:
af63ccf7fe35b03b8a2ed2eaa9547fd2
SHA1 hash:
ffe8276ce70c6c9e19a80b3e502af3413874c7a1
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/473f8c75-0da2-4e09-a87d-fe14e28d71f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/941462/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/109410/

Comments