MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9c5d031cd548540a3b67892bb36e474ae0f117cb8ceb5f4ce1295f0a700615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f9c5d031cd548540a3b67892bb36e474ae0f117cb8ceb5f4ce1295f0a700615
SHA3-384 hash: c61d6a12e5d1ba6a44b5fcab5b6cc61fa591236fa78eec431037c3f036c4fbeba4af5ca3ec749340fe849809bd09a6d8
SHA1 hash: ff00df0fae10b85e0e9fc50ad5684cc6ad897466
MD5 hash: 342b4b0de1fa80c2874efa4cee6b29ed
humanhash: arizona-jupiter-salami-potato
File name:342b4b0de1fa80c2874efa4cee6b29ed.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:394'752 bytes
First seen:2022-02-12 19:57:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c4015563cdaee1318346f8141b1290e (1 x RedLineStealer)
ssdeep 6144:AP6ELiA3xlh00ZxSJ83OLRownEtz//vQGLhK26Pv20NlDgG:AyEHbRZxW83PoEtzHJdTqvjlv
Threatray 1'622 similar samples on MalwareBazaar
TLSH T17E84F11176D4D8BAE5A20576CC16C7B14AF7B8B15E20A98F3F940B7E6F362D1CE02342
File icon (PE):PE icon
dhash icon 327a7c7b767e6e66 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241102/
Detection(s):
Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Malware.Generic-9935525-0
Create hunting rule

Win.Malware.Generic-9938009-0
Create hunting rule

Win.Packed.Filerepmalware-9938574-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62081151289e2f3e4fcbc5da/reports/54339793-accd-4468-ac9e-b1e7f766b296/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba625dac-5ca5-44e7-8af9-df3d87f29264
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938850
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f9c5d031cd548540a3b67892bb36e474ae0f117cb8ceb5f4ce1295f0a700615/
Threat name:
Win32.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-02-12 19:58:12 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6of2ay42veficr3m6esxm3oi5fob4ixzogowx2m4euv6ctqaykq._file
Verdict:
malicious
Similar samples:
06db093414f42d7669e57d31a8d563c71018e8d75c886244b77a6a9bc86b6fdb
RedLineStealer
0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
RedLineStealer
10c760b38e37d7df4fdb3caa56328e51943ac422018b1261fbd4820cdaa046d3
RedLineStealer
6adee9708eeb07df53ced6a40ad5eab5e92be4f86a314835a8ec6e78d20cef62
RedLineStealer
7b40863ec74aadb8aa7f38657302a39c1699f3e49dfc35ad63f32a0d37c19933
RedLineStealer
8d1a7c4598d2da684743fe986b7ce6486edbd09292f2741d37f3972248d5698a
RedLineStealer
9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c
RedLineStealer
+ 1'612 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ruzkikakoyto discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220212-yps8psdah9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.29:20819
Unpacked files
SH256 hash:
f039c36f20180642b9d3f743728e7cd3b128ce16a2ec55b31f57035c0358a48d
MD5 hash:
6fe38621a99a27a7158deed26529044a
SHA1 hash:
e33e1b0dcdca8fbf5d8697cd30e1b179409e103b
Link:
https://www.unpac.me/results/541a1dba-2c69-4b36-9a52-ee1e7fc6e38a/
SH256 hash:
9fe77933fae452836671e8b4dd89d5622c96dcb23ad3e886f596fd43a9fa02ee
MD5 hash:
e8c466c124c7cd59a9789539e937c1af
SHA1 hash:
8897495710fa4983e459e30cf18408e9a239e5d0
Link:
https://www.unpac.me/results/541a1dba-2c69-4b36-9a52-ee1e7fc6e38a/
SH256 hash:
c0f409516f79693267277d572554eca46d356bf11525ac735765944e8b825c75
MD5 hash:
12d56123fbe159ce4e103cd2ce44ec94
SHA1 hash:
4089a4423b8dddd45583bc43202101af66c08361
Link:
https://www.unpac.me/results/541a1dba-2c69-4b36-9a52-ee1e7fc6e38a/
SH256 hash:
1f9c5d031cd548540a3b67892bb36e474ae0f117cb8ceb5f4ce1295f0a700615
MD5 hash:
342b4b0de1fa80c2874efa4cee6b29ed
SHA1 hash:
ff00df0fae10b85e0e9fc50ad5684cc6ad897466
Link:
https://www.unpac.me/results/541a1dba-2c69-4b36-9a52-ee1e7fc6e38a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1f9c5d031cd5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1f9c5d031cd548540a3b67892bb36e474ae0f117cb8ceb5f4ce1295f0a700615

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849294/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241102/

Comments