MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9
SHA3-384 hash: 4b264ab73c66f63d18dd842e11e322b30f4514cac0a65bd7efb7857b2227d736654acd32f5eb6010ad4b89e7c78aa89a
SHA1 hash: 8e6e4c45c28d23fc91bd24c3a7aefa59766639da
MD5 hash: 831bbd8461518993bde2c512023954bd
humanhash: twenty-nitrogen-sink-sweet
File name:831bbd8461518993bde2c512023954bd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:567'296 bytes
First seen:2022-03-05 18:22:20 UTC
Last seen:2022-03-05 19:35:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:0nXROal8WFfzAt/PorQnRR7SWJaQS03ULaHNqrxlKIQNo4I1mcOeOvql/Uq:0IU8WFfM1PosRR77akEaHNYK3C1ZOeQW
Threatray 1'588 similar samples on MalwareBazaar
TLSH T10CC4239F2A815A4AC24C03B03DE1292ED1EF3E7DA4CC6766F94399CF4E64465AF180F5
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2022-03-05 15:06:02 UTC
Tags:
evasion trojan socelars stealer rat redline loader opendir vidar ransomware stop
Link:
https://app.any.run/tasks/2da358fb-94ef-4380-8e7c-dca05fd6385e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247567/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60faebe1-dba6-448f-8bb7-4eb75a756b90
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951235
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583716 Sample: 8r242AqwrL.exe Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 26 store-images.s-microsoft.com 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 9 8r242AqwrL.exe 1 2->9         started        signatures3 process4 signatures5 44 Writes to foreign memory regions 9->44 46 Allocates memory in foreign processes 9->46 48 Injects a PE file into a foreign processes 9->48 12 AppLaunch.exe 15 7 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 28 92.255.85.137, 41320, 49761 SOVTEL-ASRU Russian Federation 12->28 30 transfer.sh 144.76.136.153, 443, 49773 HETZNER-ASDE Germany 12->30 24 C:\Users\user\AppData\Local\Temp\popa.exe, PE32+ 12->24 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->50 52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Tries to steal Crypto Currency Wallets 12->56 19 popa.exe 1 12->19         started        file8 signatures9 process10 signatures11 40 Multi AV Scanner detection for dropped file 19->40 42 Machine Learning detection for dropped file 19->42 22 conhost.exe 19->22         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 18:23:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oho7ozxvrysrywfbvuqkajj6olr6kabas53m37nr5wgtqjj4g4q._file
Verdict:
malicious
Similar samples:
22c3fa70f641f2b75a8b0cdd6cab763c2b968e88318bac611f1a002022aeca39
RedLineStealer
59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44
RedLineStealer
65754345d292205db7518a9c547072b325fe3be3fc322fd6e0f7cd523f00ec6b
RedLineStealer
6b737843eebb48068a3ef0bce32560eb1bb8b1db1ed2cd7018c8742b099ace17
RedLineStealer
9f6e71649662dd86ed3b65a8d20ad8c21971cb8087d14eeb34449f04b573b737
RedLineStealer
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
RedLineStealer
b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457
RedLineStealer
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
RedLineStealer
e8d6083106514e1fa3a1687de25e4ac31b1f1af0d4cf35bf0c11d7f5bea377b5
RedLineStealer
+ 1'578 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220305-w1f2eaaefq/
Behaviour
Program crash
Unpacked files
SH256 hash:
27a89e3ebab3b3bde08654f7b91165fd24246215f62282131c3521d725466544
MD5 hash:
c209e208affbba3e69d545c4c2de337a
SHA1 hash:
aee340784f2c236690e5bd5af7824061a7a8fb09
Link:
https://www.unpac.me/results/db37364e-dafd-49dd-81e8-2b6f3b34b21b/
SH256 hash:
326664d39ceed586d51331bb35492c9c25f1015d1ecb277c7b1edbc7211279e6
MD5 hash:
8efe063370192353f0216ae87f6148c9
SHA1 hash:
c22ce008e6e185ea8517d4142818d512df67e51a
Link:
https://www.unpac.me/results/db37364e-dafd-49dd-81e8-2b6f3b34b21b/
SH256 hash:
fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9
MD5 hash:
831bbd8461518993bde2c512023954bd
SHA1 hash:
8e6e4c45c28d23fc91bd24c3a7aefa59766639da
Link:
https://www.unpac.me/results/db37364e-dafd-49dd-81e8-2b6f3b34b21b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fb8eefbb37ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247567/

Comments