MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3992908167693c776e74d85dd17eab656c8bb643d52371524ea9e2f6b6316b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	3992908167693c776e74d85dd17eab656c8bb643d52371524ea9e2f6b6316b12
SHA3-384 hash:	4504728538fefcdb92613ecd13c7b7d0b5904699c5fb94c7f93a957ebe0c565e3d78ae29206be8406cb7017374fbb85f
SHA1 hash:	87cd137787867808601f144e7aea25b9d369ee91
MD5 hash:	c9306194622ba6d723abe569048d4f45
humanhash:	zulu-zebra-sink-august
File name:	c9306194622ba6d723abe569048d4f45.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	339'456 bytes
First seen:	2021-10-02 15:53:39 UTC
Last seen:	2021-10-02 17:24:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	848a7504f9e97d3a5e7cf95079b638a5 (9 x RedLineStealer, 4 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep	6144:3vgDBGUJYzCwnpQMt1Ts5kfv9L/l3+UEVxQYMPSrRr0mMvDqacOWC:3oFLJYzlpnGk39ZDEVxQYJrS7qac3C
TLSH	T13174AE30A7E0C030F4BB62F445BA9378A92D7EB1576490CF63E52AEA56346E4DC30797
File icon (PE):
dhash icon	e8e8c8e8aa66a499 (4 x RaccoonStealer, 3 x RedLineStealer, 3 x CryptBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c9306194622ba6d723abe569048d4f45.exe

Verdict:

Malicious activity

Analysis date:

2021-10-02 15:55:40 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/b036fa61-b82a-49d7-9b48-1f7ffce9ae34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/194208/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.10701.21618.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dfe46d31-3e4f-4d06-97d4-b2fd5582f8e4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/863217

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3992908167693c776e74d85dd17eab656c8bb643d52371524ea9e2f6b6316b12/

Threat name:

Win32.Backdoor.Tofsee

Status:

Malicious

First seen:

2021-10-02 14:18:15 UTC

AV detection:

19 of 45 (42.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgjjbalhne6ho3tu3bo5c7vlmvwixnsd2urxcusovhrpnnrrnmja._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211002-tb73gsefbj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:18087

Unpacked files

SH256 hash:

a62841bbe14945e2cd4066193675aefc61ced1aaff2753924e4ab30a9241e760

MD5 hash:

f246bd57ec25db36919e7e1aa731303f

SHA1 hash:

f4fa44aadc1d6bd4411c14c78150b2ed24f03f3b

Link:

https://www.unpac.me/results/acbe2486-2462-4191-9735-aec7560a08d2/

SH256 hash:

8804d072134b4f424a7af558ae9eaf17370bf874e2d0919e12e9508a8f25bc04

MD5 hash:

b7e41b714671133b10467addb04eaf04

SHA1 hash:

67250b01da36b1c2b36c6b8599f37d36975cfeca

Link:

https://www.unpac.me/results/acbe2486-2462-4191-9735-aec7560a08d2/

SH256 hash:

ccf48b09615787253370d1f337c632ad194e899489784fa7d4bb4cd8d67d6d9e

MD5 hash:

6b5c7d46224b4d7c38ec620c817867ad

SHA1 hash:

3747f56ac967b30844b790ed11e6180d83a79565

Link:

https://www.unpac.me/results/acbe2486-2462-4191-9735-aec7560a08d2/

SH256 hash:

3992908167693c776e74d85dd17eab656c8bb643d52371524ea9e2f6b6316b12

MD5 hash:

c9306194622ba6d723abe569048d4f45

SHA1 hash:

87cd137787867808601f144e7aea25b9d369ee91

Link:

https://www.unpac.me/results/acbe2486-2462-4191-9735-aec7560a08d2/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/399290816769/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3992908167693c776e74d85dd17eab656c8bb643d52371524ea9e2f6b6316b12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.