MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b
SHA3-384 hash: 635481471bd2409fa86347f743924a368abd8a8df4af513fa22830ca925b9e34da117ea105d5d2ea90b5ad5e163d3d01
SHA1 hash: 5ac66b1ff381672d4fbc69680d45086e941674aa
MD5 hash: 9814aac3f3d182e19a633bc31c68ce51
humanhash: mars-thirteen-lion-triple
File name:9814aac3f3d182e19a633bc31c68ce51
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'082'312 bytes
First seen:2022-03-13 17:58:04 UTC
Last seen:2022-03-13 20:43:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47fa643dcd68b930ded61ce0b139c2d2 (1 x RedLineStealer)
ssdeep 24576:ThKWLp9tn8uf0xjQvA+hXWCJEDrZeR7nhOoypHsL:TxbJF+jQ/ocCHM
Threatray 1'791 similar samples on MalwareBazaar
TLSH T13435333112149E96DE7A4D740812EB3DB1F93D0AC658F82AB4E4AD973CBCA773C9405B
File icon (PE):PE icon
dhash icon 0460f8cd64b24130 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Logitech Z-906
Issuer:Logitech Z-906
Algorithm:sha1WithRSAEncryption
Valid from:2021-07-03T10:07:35Z
Valid to:2031-07-04T10:07:35Z
Serial number: 66390fc17786d4a342f0ee89996d6522
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a0cdb1c5a7429ea15858acfc418c93ed96f733236efc0f2409f29138001956cb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249905/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.13059.25424.7815.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622e30eab94fb38cb4729f40/reports/109016c6-d648-4bcd-81ca-11fb3abcae20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5510d06a-9838-4b84-9876-6f9564657c43
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955653
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 16:13:23 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
RedLineStealer
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
RedLineStealer
4618fb57958c19496e668916d769cb40e6bb0a0af0fbb1ff73ee89e701f3fe9b
RedLineStealer
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
RedLineStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RedLineStealer
c9578d03c3601352623f7083e52c45d3c59656fc4fbafaf10a8387dc51c89b33
RedLineStealer
d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df
RedLineStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RedLineStealer
+ 1'781 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220313-wlbs5sbafm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
974dbb497e8564f860e5e7794876dc9cd0662c443400f6c36ecfb232f5842f0f
MD5 hash:
a3505cca0aaaa73103670ab71dbaadc6
SHA1 hash:
bec0414233103a5713fb6b0409ef4e7a32d8b77e
Link:
https://www.unpac.me/results/7e4fa81f-bc71-42e7-a39d-1b715d4cb60d/
SH256 hash:
284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b
MD5 hash:
9814aac3f3d182e19a633bc31c68ce51
SHA1 hash:
5ac66b1ff381672d4fbc69680d45086e941674aa
Link:
https://www.unpac.me/results/7e4fa81f-bc71-42e7-a39d-1b715d4cb60d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/284aaa322178/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_KB_CERT_66390fc17786d4a342f0ee89996d6522
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2094616/
Cape
Cape
https://www.capesandbox.com/analysis/249905/

Comments


Avatar
zbet commented on 2022-03-13 17:58:05 UTC

url : hxxp://79.133.56.44/myblog/img/164.exe