MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7
SHA3-384 hash:	23c05b27376e02e84bf73846d3f5e16f0a39cbf456a1f34f539ce66ff318463099866c6d2ec6a9ee3337eef82ab1385b
SHA1 hash:	d9a79b487f3cfeee8e42cacb60a3e1bd6e6e8539
MD5 hash:	f31fff97491b0c14f2158db29a5c69d1
humanhash:	yellow-green-whiskey-table
File name:	FTXExchange.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	2'469'840 bytes
First seen:	2022-11-13 00:45:14 UTC
Last seen:	2022-11-13 02:40:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ee5612dffe4cd5c13fb65a3e987147a3 (3 x RedLineStealer, 1 x Formbook)
ssdeep	24576:6IuBu5SsFqHllFMco/TSBGIR3AwCctJqSXpnKycHVP5XUbme:6zBu5SsFUlFcbSAVwfZKL1REm
Threatray	6'173 similar samples on MalwareBazaar
TLSH	T145B51233108ADDD3D32726B2126093ADAD949529A0B5016F83C76793EE7FE91C4F88DD
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0cce2603092c4e0 (2 x RedLineStealer)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

225

Origin country :

AU

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

FTXExchange.exe

Verdict:

Malicious activity

Analysis date:

2022-11-13 00:44:27 UTC

Tags:

redline

Link:

https://app.any.run/tasks/22280c9c-cb5d-498c-b7b7-2e5b3a9d1904

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/333077/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Zusy.442219.10672.18947.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/51821/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63703e4b651d1d5cca6494ca/reports/9f5efbcd-03c8-46b8-8c25-f0175fe1fc32/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer RedLine stealer

Malware family:

RedLine stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d70957f-a66b-4c03-a322-5e38f8dab085

Joe Sandbox malicious

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1112035

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7/

ReversingLabs TitaniumCloud Win32.Spyware.RedLine

Threat name:

Win32.Spyware.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2022-11-13 00:46:11 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

20 of 26 (76.92%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=erzi7h2ribl73hsmeto2txwq3liigwjixfs4lshjdbnhj6zhns3q._file

Threatray malicious

Verdict:

malicious

Similar samples:

09d3b92298661321ffcaecc92f72ac6681b6ff7941364b95d8f4d9cb2051ca84

RedLineStealer

0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f

RedLineStealer

3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7

RedLineStealer

6b6baec6f1e73d38262ea3ac6a91acb44bb64d30bd948c89f9b8d97979fbff61

RedLineStealer

d38094e9d3a8f4995cb29474aafda7a4ab5c9ae3a5b9742ca48abc4eb830697e

RedLineStealer

ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f

RedLineStealer

+ 6'163 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:ftx infostealer spyware

Link:

https://tria.ge/reports/221113-a4msgadb3v/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

199.34.18.18:48587

Threat.Zone Suspicious

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9c8b33e9-5433-4794-92f4-196f4341130c

UnpacMe redline

Unpacked files

SH256 hash:

09d3b92298661321ffcaecc92f72ac6681b6ff7941364b95d8f4d9cb2051ca84

MD5 hash:

853c77c90e01f71905bbd3fbe9a1aef5

SHA1 hash:

05e67edc225cbc29625988bd782c51f5aa2cec94

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/c3372035-a79c-4696-a133-b4c92e485d36/

Parent samples :

3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7
24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7
09d3b92298661321ffcaecc92f72ac6681b6ff7941364b95d8f4d9cb2051ca84

SH256 hash:

61797630d7ce63c9e279c4225a25f0d64bd28f75c2a41c75841e8cb11336fe55

MD5 hash:

6497ee4ad28639aff4b6ebb49483424c

SHA1 hash:

9f83d2163c5ef672aac270c02b3dd7c7e476707b

Link:

https://www.unpac.me/results/c3372035-a79c-4696-a133-b4c92e485d36/

SH256 hash:

24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7

MD5 hash:

f31fff97491b0c14f2158db29a5c69d1

SHA1 hash:

d9a79b487f3cfeee8e42cacb60a3e1bd6e6e8539

Link:

https://www.unpac.me/results/c3372035-a79c-4696-a133-b4c92e485d36/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/24728f9f5140/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Redline

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7

(this sample)

  

X

https://twitter.com/FTX_Wallet/status/1591426843655409664

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/333077/