MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1
SHA3-384 hash: 9e376c001111f49830a3cde1960d7e4888f4b240ccba5ac584671960ddd2676d31bee8f731287766fddaca0e6027e526
SHA1 hash: 339c68769736f4d2fa5f461a10392e9bc0fd06a7
MD5 hash: 612a7ca440022770257ea2471c8cb04d
humanhash: illinois-uranus-uranus-cat
File name:612a7ca440022770257ea2471c8cb04d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:324'096 bytes
First seen:2021-10-08 07:14:24 UTC
Last seen:2021-10-08 08:04:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0dd592f35b48076810a8314d458b6b4b (6 x RedLineStealer, 4 x Smoke Loader, 1 x OskiStealer)
ssdeep 6144:N53OsTwXUBorymujNJ3AB1vm+/+FlRZ1wNQaPXUfywwpxopfBR:LTwMoryBJwB1uk+3VwlnNpxyR
Threatray 2'467 similar samples on MalwareBazaar
TLSH T11964E02136F5C471E66F59384E7187A28A7A7C219E3189CB1FB0A6EE6E353D1CB14703
File icon (PE):PE icon
dhash icon 83bcdcac9cccb4a4 (1 x RedLineStealer, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
612a7ca440022770257ea2471c8cb04d.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 07:18:09 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0d3f992b-5577-4327-8f33-97901744615d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196066/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15346.17436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/019415a8-24ca-471b-b4e6-a0098bcf8965
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866931
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 07:15:12 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwpzwrcwgttlxzxltgm5hhbcrdwdhlmflhbnmutmwsmcka2tu6yq._file
Verdict:
malicious
Similar samples:
147a81a818e41f31acd78476ad65f7e59ff3c3bbd85626d91456838c8acacd11
RedLineStealer
18a991ca66e5a2f3ba4b92dd18171eaa5f7306b8cd7d9aa461e4aaef158e7b5c
RedLineStealer
319d10acfc388b91ab59503ab0d16ca888abaf05fa8e6ba4b1f7a34a61228b5f
RedLineStealer
3c5072f106c32fcabec7964aeefb5133a89e4d973efcc67d88603e53a6dfad48
RedLineStealer
5cdca6838044c712d83b192f693ae6da288d6cd065f431014f5569cbbe20b589
RedLineStealer
62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da
RedLineStealer
64fa435686d94f74a3cc546fed84efea58c1ef60454ad9f60939960fadcbaa54
RedLineStealer
7d353bce5ec37a378a5800c6a8bad2203d80664ed304e2728010bb69f6fef950
RedLineStealer
c569326abd44e1e6d0b0a843c41f39c8b06bd1e0085233bdb4024a2289a811cc
RedLineStealer
f59e70c1e2703fd8d6016bad2f6b4ebd7824b52eab2bf63a0fdc96f0a3d16011
RedLineStealer
+ 2'457 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211008-h29hfsded2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.63.26.132:29795
Unpacked files
SH256 hash:
1b8380160e547aeefc07dfffea1aeb99455605217a59ddfa97b94d30c5ad0498
MD5 hash:
1d855f7b17ad5be5f39a2a7b275b3653
SHA1 hash:
9171599cc03210b0df3ee93cf0735f989df65c2e
Link:
https://www.unpac.me/results/9906777c-1272-408b-bad9-8167fbdedcb7/
SH256 hash:
63daa37ed8cc613c8c14e84659618983046a93046698a4094219d0b485332dc7
MD5 hash:
6f233a4c1dba61a7243b0d06b0cf388c
SHA1 hash:
658fd47cd67a8c60327e5bdd46af77fd56903fd4
Link:
https://www.unpac.me/results/9906777c-1272-408b-bad9-8167fbdedcb7/
SH256 hash:
670d4a54ddad06d7d3bfbc77e5496322cb31304f2e3ddea94b9cbc4017a1498e
MD5 hash:
157295887e68ed133a79ed6887b839c9
SHA1 hash:
4d606e27b46e75307256a1e1677fb1be630a99b5
Link:
https://www.unpac.me/results/9906777c-1272-408b-bad9-8167fbdedcb7/
SH256 hash:
1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1
MD5 hash:
612a7ca440022770257ea2471c8cb04d
SHA1 hash:
339c68769736f4d2fa5f461a10392e9bc0fd06a7
Link:
https://www.unpac.me/results/9906777c-1272-408b-bad9-8167fbdedcb7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1d9f9b445634/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1d9f9b445634e6bbe6eb9999d39c2288ec33ad8559c2d6526cb498250353a7b1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/196066/
  
URLhaus
https://urlhaus.abuse.ch/url/1653255/
  
Delivery method
Distributed via web download

Comments