MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69
SHA3-384 hash: c16ee1ab538853ae970320d0a3cc8fed8cc58d8a9f4d29523f23cc8747f349534ff4b9dd94ff0ea0996723e34002c078
SHA1 hash: 52d0c9a837b7baa1f714f2e50307ddb069aa8efe
MD5 hash: 7dec1c73425268a99bce7bf535415a23
humanhash: kentucky-six-nevada-blossom
File name:7dec1c73425268a99bce7bf535415a23
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:438'784 bytes
First seen:2021-12-03 19:24:38 UTC
Last seen:2021-12-03 20:35:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbdc5cea7d9bbd6ae9c6a36e9d9fb769 (8 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 12288:bjqUQxAat4b0QRyTKO4cOnwdvuX39olVKNU0:bjVQAaU0QkAkdemkF
Threatray 4'200 similar samples on MalwareBazaar
TLSH T19794BF00E7A0C035F6F357F84A79A369B52E7DA1AB7560CF62D156EA56386E0EC30307
File icon (PE):PE icon
dhash icon 68e8e8e8aa66a499 (33 x RaccoonStealer, 14 x ArkeiStealer, 11 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7dec1c73425268a99bce7bf535415a23
Verdict:
Malicious activity
Analysis date:
2021-12-03 19:27:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/46f496b7-a583-40b1-ab17-1cfb62961842

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211119/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20360.8422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/693/overview
Behaviour
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61aa6f134d8e6f3a5e0dd934/reports/998b29ab-69de-4cb8-9c67-9bc8dc1c5b09/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad068417-e93c-4748-8f23-32c0ab55de3d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901145
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 19:25:15 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhjakq6lh5th6l3hcnfxzk36ohwofck2zmpi6hob6zi5sfdjxruq._file
Verdict:
malicious
Similar samples:
03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d
RedLineStealer
116d7de7a0b9cb20a6ee1757752c0edf48efc465ab9090babd746bcdab6fe9f2
RedLineStealer
3ebbbaaf09f705f0d7f12a21466fc60f4a08ba7ed9c7fb209666e0d45e342405
RedLineStealer
88c12eb802c422278c5c7b48fc62e3a79d7a34710d338a3d7682525a4eec4fc4
RedLineStealer
c0166e944a7c2577c74350efa20721ee13b4915d2a1f0443b78e3d877781542f
RedLineStealer
cca02eaba0809751d81481ee4db3631ff546054d7ebb11d5099f58ca91dbadd2
RedLineStealer
+ 4'190 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:noname discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211203-x4y7tshcaq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:26828
Unpacked files
SH256 hash:
efa8fec7208720e734903a42d2cb362fe3d6ba9769c26e52734a3ff87060239d
MD5 hash:
14386e7c1116fcb10790ed6a7991a945
SHA1 hash:
51c7afa94ca210e2aefd707246e17f08f2b33904
Link:
https://www.unpac.me/results/d73658e0-4acd-4890-9c3d-facaa28fd351/
SH256 hash:
04d895ff7bed861bdbd5f12e9f6bceebb5fdca87771e93297f5084e678118b62
MD5 hash:
a5bc1bf75c0df90cce2530c5ce5e77d4
SHA1 hash:
1e816e1c19cd363eaacc498835ee9925198ce1ba
Link:
https://www.unpac.me/results/d73658e0-4acd-4890-9c3d-facaa28fd351/
SH256 hash:
bcaa0a2f1dbe3edb77349cfd30474c5ad541b80099c3b025a600fcc53346f810
MD5 hash:
d176199daf05e7b75d24e36d1aaeaa65
SHA1 hash:
0c98d33fe420bbf0decbe19a2fdb2e265ca65c85
Link:
https://www.unpac.me/results/d73658e0-4acd-4890-9c3d-facaa28fd351/
SH256 hash:
09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69
MD5 hash:
7dec1c73425268a99bce7bf535415a23
SHA1 hash:
52d0c9a837b7baa1f714f2e50307ddb069aa8efe
Link:
https://www.unpac.me/results/d73658e0-4acd-4890-9c3d-facaa28fd351/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/09d20543cb3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 09d20543cb3f667f2f67134b7cab7e71ece2895acb1e8f1dc1f651d91469bc69

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211119/
  
URLhaus
https://urlhaus.abuse.ch/url/1849426/

Comments


Avatar
zbet commented on 2021-12-03 19:24:40 UTC

url : hxxp://185.215.113.208/ferrari2.exe