MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a88da3b94968b3134c5bbb0fb1f4c205c1713b93bab8b791bf7ad5e26e1f1fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	0a88da3b94968b3134c5bbb0fb1f4c205c1713b93bab8b791bf7ad5e26e1f1fe
SHA3-384 hash:	1ecf64fdb2766b74f36f36d150a38965d47b8d56fa0d8bff15249d089e72df131f0edb5b0cd4e919560c4f3f1b6e3ed3
SHA1 hash:	583b47c0afa7b90a7248860c05ce1a35dc4c17b6
MD5 hash:	290c1d843794e228c251eb5192c6ced3
humanhash:	tennessee-king-march-sweet
File name:	mixshop_20211014-115222
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'533'536 bytes
First seen:	2021-10-14 10:11:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:yVzjKFfptv/SJciM8fAplM3xOmehNX5uJx3WSToknyr04:yVXKNXZpegM3smehRusSlnY04
Threatray	7'101 similar samples on MalwareBazaar
TLSH	T1E1F58B232498C92CE4176A3BE3AE41E6752F5D08CAB5463B9A8C3D87F7B744905D370E
Reporter	benkow_
Tags:	exe Redline RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mixshop_20211014-115222

Verdict:

No threats detected

Analysis date:

2021-10-14 10:17:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f554fb52-8e8a-460c-8c22-5cc439cac980

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/197489/

Detection(s):

SecuriteInfo.com.Variant.Razy.945546.7516.12513.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/616802741c2d58ba740636be/reports/ca130cf1-e922-4a2a-bd93-2493b9bb792d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/76f7d99f-f5c5-445e-b043-28a21e406373

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/870368

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

PE file contains section with special chars

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a88da3b94968b3134c5bbb0fb1f4c205c1713b93bab8b791bf7ad5e26e1f1fe/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-10-14 10:12:07 UTC

AV detection:

13 of 27 (48.15%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e

RedLineStealer

323a27a7f2a664921d46c965f0c8d5977fb6c8fce20ba04e208c2945b7abdbba

RedLineStealer

6049e16e693c2c986b95858dff276d1b81cc6039f581c1d0390cd18e701480cb

RedLineStealer

63ea7b76004832b5b5d0eb66d78a7f9e8d94dd5d5af35fe0198c6211df7e4580

RedLineStealer

71c0a6fb3c31d1fa82fb99ddda7811810d9bf6306ce7e3377547035fe6b512f2

RedLineStealer

a0b5ed84de5309a8be0e533e9690dc3a2365f107978cf206a3f0084544a14f70

RedLineStealer

ccfa8b97f8273be6e7fee1beb2330cc45ab8f152c5d1bfa8b04f7b3b0b603433

RedLineStealer

d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f

RedLineStealer

de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2

RedLineStealer

+ 7'091 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/211014-l8h6maggen/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

0a88da3b94968b3134c5bbb0fb1f4c205c1713b93bab8b791bf7ad5e26e1f1fe

MD5 hash:

290c1d843794e228c251eb5192c6ced3

SHA1 hash:

583b47c0afa7b90a7248860c05ce1a35dc4c17b6

Link:

https://www.unpac.me/results/cefdb1dc-831b-4535-a223-c54da56f86b5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0a88da3b9496/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0a88da3b94968b3134c5bbb0fb1f4c205c1713b93bab8b791bf7ad5e26e1f1fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

Gcleaner

Cape

https://www.capesandbox.com/analysis/197489/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample