MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578
SHA3-384 hash:	eb777c15f3a4212d67747183d422a39f30da53cce41584057219e25c5155ac9ed8e01dfb8065ea92b17ad5312847196b
SHA1 hash:	acde50f20902dc065a2100db29c31fb9c6dacb65
MD5 hash:	591dd75a6049a3ae71de34494e48cd4e
humanhash:	fifteen-speaker-rugby-march
File name:	SecuriteInfo.com.Win32.TrojanX-gen.5906.5645
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	343'040 bytes
First seen:	2023-02-01 19:29:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	69de700c621e1f34213ac69f2c7b5cd0 (2 x RedLineStealer)
ssdeep	6144:IbwoOoLfaeT7UvLLW3IoLccO+o6sxiEGDd22t2gc1XnBrJRLQn:IbvPDaeT7US3PFOD/xiFd2ZRnBN
TLSH	T1CA74F13379D0C872C5A619305D30EA91EBBEA5312C358553BF983BAE9F601D1633A35B
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	816a6e6a6a6a6a64 (15 x RedLineStealer, 8 x Smoke Loader, 6 x Amadey)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Win32.TrojanX-gen.5906.5645

Verdict:

Malicious activity

Analysis date:

2023-02-01 19:31:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a71c0ba8-df19-4e6e-a515-83f783dd8e0e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/359237/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.5906.5645.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63dabdbc1c9cbf7d625530ea/reports/5fc4b327-41e5-47c4-a0a2-59d292a194f6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4160b816-b56d-4c67-8d2c-c96355d24135

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1163596

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-02-01 19:30:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dkndkswd3mm325qsyx4635th6vmgy7foeepmlinmoxbqmqndav4a._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:fredy discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230201-x7st8add5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.170:4132

Unpacked files

SH256 hash:

44a1bf37db59ffefc1fac2412110cbad2972d28ff563477367a68fae8d7cbd41

MD5 hash:

4255fc1fef03063dd4ba5095fe84d2f9

SHA1 hash:

8434939b022c2bef23627d1e4fc4e0726e38f38e

Detections:

redline

Link:

https://www.unpac.me/results/02980c7b-126b-41cf-9c3c-fe9428b3c53b/

Parent samples :

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
6f69d4bea4681b9ef42b65f4a4479bcaa0824d21f71020a8820e3e507aca3e4d
93691d155e47e29109a94902362d651cdf5dc5ba17b1e8b665c4fc99dd370e1a
45abce6e11b5dec3a8d554e632e30609ce1998db3d969bc0117449976e45c730
c66cd92a155b70f1335dfcff0825bf851b4b1e9c6ea53e6d6087fd87df8ebe50
58f3394fd637f0849ee49b99dd66b868c12d8386f47fd39821a0029f4b0fe5d2
19f2539486d7b7a3c3c5f2e81851ef4220cdb5adb95778d1b7464fdd2b9f506a
768eba7cebce8cef3a57585b6b718bbcb4ce6b3a63453a81731fa1285ce39e8f
41fa0edee86cfc72ac4bb3628b3773269038ca1227fe3abe88b878e39c4fdff9
1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

SH256 hash:

57c14ed6abd44dc0c82f0b7d7d157297f06625213099468658862d446f4bddef

MD5 hash:

cf403e03ec81ae4c9f2046f1fc42b619

SHA1 hash:

8332ced036e9310035bed471527c4bfdec20d9c3

Link:

https://www.unpac.me/results/02980c7b-126b-41cf-9c3c-fe9428b3c53b/

SH256 hash:

631a58938d6eacff9cab0293694eb207efe1f41f69c942c728684633cae9798a

MD5 hash:

adb7cfd75e703c3a2def812ba9852dee

SHA1 hash:

1810523f94540c1734b1f167e70a08520ffa2269

Detections:

redline

Link:

https://www.unpac.me/results/02980c7b-126b-41cf-9c3c-fe9428b3c53b/

Parent samples :

c2129725fe0ece870ee9ab1b0db5a5472738fae47347c389fa936b20876f176f
6f69d4bea4681b9ef42b65f4a4479bcaa0824d21f71020a8820e3e507aca3e4d
93691d155e47e29109a94902362d651cdf5dc5ba17b1e8b665c4fc99dd370e1a
c66cd92a155b70f1335dfcff0825bf851b4b1e9c6ea53e6d6087fd87df8ebe50
1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

SH256 hash:

1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

MD5 hash:

591dd75a6049a3ae71de34494e48cd4e

SHA1 hash:

acde50f20902dc065a2100db29c31fb9c6dacb65

Link:

https://www.unpac.me/results/02980c7b-126b-41cf-9c3c-fe9428b3c53b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a9a354ac3db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a9a354ac3db19bd7612c5f9edf667f5586c7cae211ec5a1ac75c30641a30578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample