MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b
SHA3-384 hash: e761358bfabd80b0658121a34819d84a7d67988ef3d3a590cfd68e84ff3b23d05b86a6ec9a255ad0f4a184b25b32b57e
SHA1 hash: 8c114d32845a82de778f369f2fa1acd2076fb215
MD5 hash: 6a40a164007ed1f22b0e2e557e9e71ac
humanhash: wisconsin-ceiling-hydrogen-sodium
File name:6a40a164007ed1f22b0e2e557e9e71ac
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'773'568 bytes
First seen:2022-07-05 14:05:38 UTC
Last seen:2022-07-05 14:55:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55a5e6e4b3f8521c2a1265b74b4c879b (2 x RedLineStealer)
ssdeep 12288:YhSRimHwhWod9TSz2aM/dvo6g6RlojEoB7KmOiL1se8u2IphB2FvyYVJe/kL6WUd:yPaMuW7Ve/GQsPapsx+SePvSmerWqU
TLSH T10585E693F42CF466E1EA453A7073F6075224F4BBAF555805B81D27C1EE3638C23A279A
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
7.1% (.EXE) Clipper DOS Executable (2018/12)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
http://webkita.co.id/1/data64_4.exe
Verdict:
Malicious activity
Analysis date:
2022-07-05 18:36:28 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/51c93c82-b133-4f25-9252-75559bcf10ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Tedy.158942.23361.24933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/62c4458a98766731ae834aa7/reports/a2fc7d2c-c70e-4b16-ba66-eec333c3b731/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59513851-8ac8-4ca4-9575-1f564579a576
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1024882
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 657376 Sample: K3uqGBu8dW Startdate: 05/07/2022 Architecture: WINDOWS Score: 64 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected RedLine Stealer 2->19 6 K3uqGBu8dW.exe 2 2->6         started        process3 file4 13 C:\Users\user\AppData\...\K3uqGBu8dW.exe.log, ASCII 6->13 dropped 9 conhost.exe 6->9         started        11 K3uqGBu8dW.exe 6->11         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b/
Threat name:
ByteCode-MSIL.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 14:06:08 UTC
File Type:
PE (.Net Exe)
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l5iso4mmw5rqunxpj6h7au2und2hikkverfvptodqr74rziizfq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:seo29.06 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220705-redxpshhfk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
185.215.113.16:21921
Unpacked files
SH256 hash:
2656b030d6f2a0930a1be6f05e7eace6a0cae625a57ded620c078c9192f7a8ea
MD5 hash:
30882fb6e6d469d41c7cb32e60c9339c
SHA1 hash:
0d1c311f0cff97ee6c7165dfd97a19b0bac4bc05
Link:
https://www.unpac.me/results/2efa7b39-8ec7-4057-9ffc-2d82675d3757/
SH256 hash:
fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b
MD5 hash:
6a40a164007ed1f22b0e2e557e9e71ac
SHA1 hash:
8c114d32845a82de778f369f2fa1acd2076fb215
Link:
https://www.unpac.me/results/2efa7b39-8ec7-4057-9ffc-2d82675d3757/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fafa893b8c65bb1851b77a7c7f829aa347a3a14aa9225abe6e1c23fe4728464b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2254181/

Comments


Avatar
zbet commented on 2022-07-05 14:05:45 UTC

url : hxxp://webkita.co.id/1/data64_4.exe