MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab
SHA3-384 hash: 48a9e79b46649bddee72d25beaa20833f29330fe10fe284a6b1c501d280f506a5837399b9aacf43b41cc7f1d2d75e62b
SHA1 hash: 63e628501bd54422ebfc6857039d50fd97cbe55d
MD5 hash: 97e8e525e2fc27c2634da7d235f5ff5c
humanhash: sweet-august-fix-edward
File name:97e8e525e2fc27c2634da7d235f5ff5c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:404'992 bytes
First seen:2021-07-25 22:19:39 UTC
Last seen:2021-07-25 22:52:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f072aaf7476b5a5a056c892b505526e0 (2 x RedLineStealer, 1 x CryptBot)
ssdeep 12288:DcyFrVdwvwFGB3yVywS1B0a7OkeOMSBM:LVdwvwFi1eMeOMiM
Threatray 1'243 similar samples on MalwareBazaar
TLSH T16F84BF20BAA1C430F5F211F845B993B9A93D7EB09B3451CB62E43EEE16346E1AC31757
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97e8e525e2fc27c2634da7d235f5ff5c
Verdict:
Malicious activity
Analysis date:
2021-07-25 22:23:13 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/bfeb8aed-4b46-46a3-8c3a-e4098344c077

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174042/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.5367.28475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/252ea557-0040-430c-a5a8-b51280d83a0c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821579
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-25 21:38:49 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkp7bndbqksedqhzyaqxekaxtbhmrbbgnqjd2l6wev7zy4gtekvq._file
Verdict:
malicious
Similar samples:
0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d
RedLineStealer
2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044
RedLineStealer
3843b1474c45fdab01bbca281796e5a9ced3206bfbda80ca8d184741612ec9c3
RedLineStealer
4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce
RedLineStealer
571b3f0b4685473b424f7fb3b67344cd1441930fa7f966e3a4cd41875fde8de3
RedLineStealer
5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32
RedLineStealer
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
RedLineStealer
7f43c61b82d39675f2d712b96d7239e6bdc6d8d0b433e5584d0b9880cbab1775
RedLineStealer
7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b
RedLineStealer
9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725
RedLineStealer
+ 1'233 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:26.07 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210725-kmyarnd6w6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:61506
Unpacked files
SH256 hash:
2874225109e9c49b40f948eb341e850ac8368524f4b1743171e4365114e8dff1
MD5 hash:
c624a09677e63c0465dddd15a8e8e617
SHA1 hash:
7b774d32b49a02d04d94fcbc289d645c7e803d7e
Link:
https://www.unpac.me/results/6bbb0bf4-678c-4783-bea3-669597a97b71/
SH256 hash:
76d18287023515773565e61bcfdea5f3c8236f0ee13270e126984cdb7aa9e9ec
MD5 hash:
e56a6776504bf2511a37c9ba69350aa2
SHA1 hash:
3ec2c6822a23c2cc3dca4541f11c6a40c47381d9
Link:
https://www.unpac.me/results/6bbb0bf4-678c-4783-bea3-669597a97b71/
SH256 hash:
763413a79820c8648c9c34648d4c90b2ffa46c688bbf5ddb8520fc9394a5d26c
MD5 hash:
4ad73e90d61a40e949d44b82688d0ce0
SHA1 hash:
01e3d0b84eb33f52aeb363332e0da53e3a4105cb
Link:
https://www.unpac.me/results/6bbb0bf4-678c-4783-bea3-669597a97b71/
SH256 hash:
0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab
MD5 hash:
97e8e525e2fc27c2634da7d235f5ff5c
SHA1 hash:
63e628501bd54422ebfc6857039d50fd97cbe55d
Link:
https://www.unpac.me/results/6bbb0bf4-678c-4783-bea3-669597a97b71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174042/
  
URLhaus
https://urlhaus.abuse.ch/url/1481337/

Comments


Avatar
zbet commented on 2021-07-25 22:19:40 UTC

url : hxxp://dahgarq.top/jolion/lipster.exe