MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9
SHA3-384 hash:	8ee243410bbdeec79d9ea9ae9510e51768515c16a6ac837e66dda9e155ec1186299b43428ee4a1f67d156e17d3ad1810
SHA1 hash:	3e33b7b9c9fe6d2f7b7989d30ea0eb710fac9abe
MD5 hash:	14e44f49785c8ded87796a6da24f7130
humanhash:	quiet-equal-nevada-skylark
File name:	14e44f49785c8ded87796a6da24f7130.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	653'312 bytes
First seen:	2021-02-19 08:43:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:/88CPjyOnQlmmg+HDGjbN9EakCezu5KAN8QkHqv+CFQu3KJP:EzPnnqDg+jGjx9rTdh2s+s33KJP
Threatray	56 similar samples on MalwareBazaar
TLSH	88D4AE35AFE4A135F4A8E3B08C204C741E385F667956836F64E6B3CDA877201D2B4AF1
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/117946/

Detection(s):

SecuriteInfo.com.Trojan.Siggen12.1135.10754.27065.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Connection attempt to an infection source

Stealing user critical data

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/612473

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9/

Verdict:

malicious

RedLineStealer

593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5

RedLineStealer

5ed7321d0e4d7e0dbec935824a15bd6706d26e1798c8d86ac820e7632fa12af5

RedLineStealer

7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9

RedLineStealer

887084bcfd243d9c685a80c8b94ff04b56936b6a282988a2488463ba70e7d054

RedLineStealer

ae2ff54d0460f10178a7984924504119353fe27dd7c84f1166505593cb7e464b

RedLineStealer

b0237d56d9d18a2211cc5cda22534f4b20fece44178bc9cbd8b5d2f469916f44

RedLineStealer

e575af9a4b8de92d24859894514462f2c9ab0a5cb16cf1798a55c923613cd13c

RedLineStealer

e8234089e3729bbb6cbf5cf5deddad37b3dbe90180bc307ac8105f5f240a5b82

RedLineStealer

f8ecf503c77e2e7a97a626cb5bcd6954eca80c2a7e2963fd916ce9d0d17b8be0

RedLineStealer

+ 46 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210219-c8ystyhrla/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Unpacked files

SH256 hash:

70a755db5fe9ff5d906cf9e505bfc9005f6935a8d8236d2e9a0a382ac68265d1

MD5 hash:

038f3a1a2b95e0d55140ed319d62c09a

SHA1 hash:

d7fd55c9caeb6e828b26ab55b4ea995b26716140

Link:

https://www.unpac.me/results/94026784-55bd-48af-b3c3-3fd0de64f675/

SH256 hash:

1f5c72d7d7459e68bad59bec5b053a565eecd15acdda5722517f3389b4cb2bfd

MD5 hash:

727f49e7bd6e4f9af5babf13f8e548df

SHA1 hash:

747043b6d343adb7c522fb5d4ed63563387c4b75

Link:

https://www.unpac.me/results/94026784-55bd-48af-b3c3-3fd0de64f675/

SH256 hash:

002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9

MD5 hash:

14e44f49785c8ded87796a6da24f7130

SHA1 hash:

3e33b7b9c9fe6d2f7b7989d30ea0eb710fac9abe

Link:

https://www.unpac.me/results/94026784-55bd-48af-b3c3-3fd0de64f675/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9

(this sample)

Cape

https://www.capesandbox.com/analysis/117946/

URLhaus

https://urlhaus.abuse.ch/url/1000485/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample