MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1
SHA3-384 hash: 326a552c0dead7e0a67d6f121d156a354b53e0009f952f4099d0f1ea7b4ffaf9fa694513ce171bc88c2855e83f469bfa
SHA1 hash: c67992c5e94b93f26d35f66962b041b07773ad88
MD5 hash: 5b4214fc265338a586eff675d1788501
humanhash: carbon-arkansas-alaska-fruit
File name:5b4214fc265338a586eff675d1788501
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'086'088 bytes
First seen:2021-09-01 06:28:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:0y8Yw8d5/5FS0ppO/BVsMw2w46+jLhbdQ301NHi8TBICJJOPMYfY0WY9st2Vin+A:0mwMFS/LcD+j5d4ii8Ta2JOPVfY0p97y
Threatray 275 similar samples on MalwareBazaar
TLSH T1B0E51201B3A25378EDA6BA35ACB708750E6639E844E1D369ACF3D70E1FFA6414473721
dhash icon f0cc96868686ccf0 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://anonfiles.com/rb20t3E2u1/Synapse_X
Verdict:
Malicious activity
Analysis date:
2021-09-01 00:48:37 UTC
Tags:
evasion trojan stealer opendir loader rat redline raccoon
Link:
https://app.any.run/tasks/d0e910f2-6fdb-4cc6-8afc-020b0758d41c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184373/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Sending a UDP request
Stealing user critical data
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1f4fd60f-d03f-4673-90dc-73cb331b0810
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843126
Signature
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 21:00:10 UTC
AV detection:
15 of 40 (37.50%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
RedLineStealer
1250e46b77a500be795b0073e72d97fd83f389eaff6f34fba7dd5847556f31ca
RedLineStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RedLineStealer
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
RedLineStealer
7332c0a22bffbb024052e842388e8a34d5d82d88ed0187ea16ddc810bf352604
RedLineStealer
c74725fe1e3f3681bc7033ce7694b98075d395c06ba22989216d4288db559e85
RedLineStealer
d5e932844e72c2971c9e9b9d84cf15806c30b13c026abfeb0c476560be9c51c1
RedLineStealer
d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f
RedLineStealer
+ 265 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210901-4pvky4mqn6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/0680b980-26ab-4f15-a900-2f9f295175bf/
SH256 hash:
326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1
MD5 hash:
5b4214fc265338a586eff675d1788501
SHA1 hash:
c67992c5e94b93f26d35f66962b041b07773ad88
Link:
https://www.unpac.me/results/0680b980-26ab-4f15-a900-2f9f295175bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.04
Link:
https://yomi.yoroi.company/submissions/326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 326f7ee9fda4f77be13c17bd65d619d46685b6fa5e54b412f4ba3571766bb7f1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1550754/
Cape
Cape
https://www.capesandbox.com/analysis/184373/

Comments


Avatar
zbet commented on 2021-09-01 06:28:57 UTC

url : hxxp://37.0.10.214/WW/file7.exe