MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e
SHA3-384 hash: 7a8164ff7323d58c1ec79d8e7746188a0bb751f26d6b731fb908205c519a315dea764bc38e53f86bafd9d2d60497802d
SHA1 hash: 5019aa20beab2807deacf3b2f099db33c4eb9c1b
MD5 hash: fcaf207066cb2a8d6bae8d8b49dfd7eb
humanhash: connecticut-thirteen-avocado-finch
File name:fcaf207066cb2a8d6bae8d8b49dfd7eb
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'638'184 bytes
First seen:2022-01-14 03:12:01 UTC
Last seen:2022-01-14 04:34:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:aOnoEwoPtej//lVO8mC5GN6N+Zqm0G2kjBJ3:aZiPtejV1mC5Gsy+R8BJ3
Threatray 936 similar samples on MalwareBazaar
TLSH T16CF5338B9114B666E86F53F844015C7195E23C4023EBB986133F3AEF90486FBFDB5668
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcaf207066cb2a8d6bae8d8b49dfd7eb
Verdict:
Malicious activity
Analysis date:
2022-01-14 03:15:25 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/73597361-fadd-4e0e-baf3-dc2420824ed2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219208/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e0ea081883c5ba4eca0ee9/reports/ad3f1aef-e90a-4516-922d-083a780db206/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d3910b4-9069-4698-8238-3cd08c3b2c15
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920531
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 21:13:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy7dp4xon3njxpizd5xb3m7ukgxbmggvnsxgxu6z43gvntvp5zxa._file
Verdict:
malicious
Similar samples:
000ce7749e7533131305766c3858bbad54a3dcf93e227c829c828ca750a01280
RedLineStealer
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
RedLineStealer
3ed3b03c36265ddffd8382859b7545cec6955331f85907018adc4bacde22e70e
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
RedLineStealer
a0f70f88c9a376e7c0f7e508c796bf1dbbf58ff8b172b9aff3421be63e2d7f78
RedLineStealer
b554c35225b03058b8a649646f8c8665100064e1442c458e4f7e1f5c61e19dec
RedLineStealer
bc42874e55e3e5c1c1d2201d619fda3971d27a6427850a03baeb2b67408efa97
RedLineStealer
e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e
RedLineStealer
fd61c25b7d28f6cbf12269fc8733fa844fa888998c16f0046b1520761fc0d79c
RedLineStealer
+ 926 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220114-dp8ceaeab2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
36ad5af195cb23296aa3b97778733cf8052dbfb4416733962e2582c736c5e600
MD5 hash:
3bc5b5c635478d2c41c44592154b8b06
SHA1 hash:
0d1e813c31d2aabef38bc04c2f10264496bcefa2
Link:
https://www.unpac.me/results/713288ea-16ae-4e62-97bf-81828272b80f/
SH256 hash:
1a2aaf599d191ccbbbf45d6819f75ddaf84aeb92e8e809ec7e4a5933ddbe376f
MD5 hash:
e6639d61180245a6694fecf5391549cf
SHA1 hash:
c4bf92491da69144df20929252ae305e7ffd740a
Link:
https://www.unpac.me/results/713288ea-16ae-4e62-97bf-81828272b80f/
SH256 hash:
163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e
MD5 hash:
fcaf207066cb2a8d6bae8d8b49dfd7eb
SHA1 hash:
5019aa20beab2807deacf3b2f099db33c4eb9c1b
Link:
https://www.unpac.me/results/713288ea-16ae-4e62-97bf-81828272b80f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/163e37f2ee6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 163e37f2ee6eda9bbd191f6e1db3f451ae1618d56cae6bd3d9e6cd56ceafee6e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219208/
  
URLhaus
https://urlhaus.abuse.ch/url/1975662/

Comments


Avatar
zbet commented on 2022-01-14 03:12:03 UTC

url : hxxp://data-host-coin-8.com/files/9353_1641769410_3808.exe