MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665
SHA3-384 hash: 5de03bfbd6c88b6cae25920653334493291bc11e6e8b4ab5ff45012edd9c8a21f5e6510cec701c77cd31e627cebddd8f
SHA1 hash: f25aff3d156617afe2b205501cf2ef8c7d94b063
MD5 hash: 0ed8664e0ae8bb176b6d0fc0251b608e
humanhash: pasta-nuts-echo-lemon
File name:0ed8664e0ae8bb176b6d0fc0251b608e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'120'768 bytes
First seen:2021-07-10 05:40:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d30c2e444a9895fe13a656f52f1ddbb6 (1 x RedLineStealer)
ssdeep 98304:STSqui3+XvGqgHV+QGcu3fs0NWBsARD+mhryFItygoLi+FTZ9ia9qzR9:/quiuXOb+D3fo+uk9iiZ9jM
Threatray 75 similar samples on MalwareBazaar
TLSH T14996AEF2599EA977C2B8033CC28E255D13FD16129736893CEDFD3934E3849989B891C6
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ed8664e0ae8bb176b6d0fc0251b608e
Verdict:
Malicious activity
Analysis date:
2021-07-10 05:42:41 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/70ef0f96-42a0-4926-8260-7033764f44a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170760/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e65d8b65-b99a-4714-b933-696cbbb59b40
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814272
Signature
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 18:25:00 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffm4y5cclncttc3rswrgu5455w5du7h3fa4h4uhvwjyn3i4n2zsq._file
Verdict:
malicious
Similar samples:
0f59d4e8970f5f97d8a033783d8b9cdb8fe9a30ba4462366b254f6deb69696dd
RedLineStealer
34b09f16fa6e9789bda97d9bd512ac7f49e235982db9d65109a4078ab3567bcf
RedLineStealer
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
RedLineStealer
477ea4ac94a63aa7e55baf53f5a0fba0e264f3c155f413edc03da1f5181d9999
RedLineStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
RedLineStealer
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
RedLineStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RedLineStealer
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
RedLineStealer
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
RedLineStealer
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210710-8mpsrdtzpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Unpacked files
SH256 hash:
2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665
MD5 hash:
0ed8664e0ae8bb176b6d0fc0251b608e
SHA1 hash:
f25aff3d156617afe2b205501cf2ef8c7d94b063
Link:
https://www.unpac.me/results/be2aa936-1a9e-4d13-9334-c70f891c91d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1440513/
Cape
Cape
https://www.capesandbox.com/analysis/170760/

Comments


Avatar
zbet commented on 2021-07-10 05:40:21 UTC

url : hxxp://i55fundraising.com/Jople.exe