MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce
SHA3-384 hash: 18366be09f9c75629795cb930c6cbf200529e14d08a625e8efd932c8b565916c7aeeb5dc041f162fdee115df069d12d7
SHA1 hash: ab9ae1212c685fe41064bed83e1d7ba91186942a
MD5 hash: c986663298d3883222625d68b6e40d8a
humanhash: mike-sixteen-crazy-fish
File name:c986663298d3883222625d68b6e40d8a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:300'032 bytes
First seen:2021-09-17 18:59:28 UTC
Last seen:2021-09-17 20:20:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 410705447b2186b51cd6d6e90a878e3a (6 x RaccoonStealer, 3 x Tofsee, 1 x CoinMiner)
ssdeep 6144:8avULP82v9aBqmsVrjv9SgR0QcE2Yzz5JHJtF:8zg2vMbsqgnTltF
Threatray 2'601 similar samples on MalwareBazaar
TLSH T15954E01175E0C432C7961931A827C6A50A7EFEE1392D51AB7B683B3F7F316E06A61307
dhash icon 327a7c7d767e6e76 (4 x RedLineStealer, 1 x ArkeiStealer, 1 x DanaBot)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c986663298d3883222625d68b6e40d8a.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 19:08:03 UTC
Tags:
installer trojan rat redline stealer
Link:
https://app.any.run/tasks/5f7ccaf3-5712-4461-bcc8-bb4f4352b9f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188821/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.21524.26388.4347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61752fb89a5a1e91c5d20816/reports/0cdbacba-874a-4732-85e9-777c5eecc065/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/142f250c-8802-4cd1-a47a-878e7bd6353f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/852956
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 19:00:45 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dmr6tgibdx5pbd6z6kjzkovrb2nblpf2cdarhz4g3rkgjzx2pha._file
Verdict:
malicious
Similar samples:
069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4
RedLineStealer
5d7e056cab62d45da796272f782b92fdba8c38827e678fa1273c0ccb71aa6d83
RedLineStealer
abe7144e537cd80c762392c34798f3a6a197acf4c60b7ac371ae2288a170267d
RedLineStealer
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b
RedLineStealer
b463a07b080b69f7b602644a5cfd535c50db153fdcab36536e746bab05162be4
RedLineStealer
cc1b3e18520c1f5ae7040cbfd2d74c9d3e5c3c47aa01d44d1037fffcbff96564
RedLineStealer
d319ddd3d52abce88199f3b7d1385bb3258290139b8b05a1ef2b672af8da2fba
RedLineStealer
+ 2'591 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pub discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210917-xnnq6agbh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.20:13441
Unpacked files
SH256 hash:
7de1f501c6f4edfbb3e61dda5d445b4482235420e19cd3e193ae3be26d374367
MD5 hash:
858ebd87027f4c3adcb5e2c59ec5161c
SHA1 hash:
f758ceef9690fb7430c910fcffd71c0cdb456834
Link:
https://www.unpac.me/results/c8d1a31a-3ef6-4429-b31b-409d3c8732a5/
SH256 hash:
541526a7b80a64b50c770517545d25c0515a146c3ddc5600a65d91cfdaf5e3a0
MD5 hash:
d964fece1f6eade1b3b0ab1ca479d7e1
SHA1 hash:
cf6948b22255272da7d81e38a936ee90b95c17ee
Link:
https://www.unpac.me/results/c8d1a31a-3ef6-4429-b31b-409d3c8732a5/
SH256 hash:
4e04bba712969aa15782d796bd66233e30de2ceb2fd6f23f8ec88b64b4857636
MD5 hash:
26e6a498e6fdb35574c6a6e51e0b7d1c
SHA1 hash:
394bd2b1362a1fe2fb96cc69971fa08c43bcbf14
Link:
https://www.unpac.me/results/c8d1a31a-3ef6-4429-b31b-409d3c8732a5/
SH256 hash:
f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce
MD5 hash:
c986663298d3883222625d68b6e40d8a
SHA1 hash:
ab9ae1212c685fe41064bed83e1d7ba91186942a
Link:
https://www.unpac.me/results/c8d1a31a-3ef6-4429-b31b-409d3c8732a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1610920/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188821/

Comments