MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2
SHA3-384 hash: 4ef3c762c387a80dc1f1ef43679075f2e3fba028c032d3b1b4b9904b8d173593296508ee70afe4893664bb0a9f600ab9
SHA1 hash: 4eedae798f07dd4562e54205b01a40131af25332
MD5 hash: f350e7e62aee0b419ce26318350ff7b0
humanhash: five-leopard-single-bluebird
File name:f350e7e62aee0b419ce26318350ff7b0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:417'792 bytes
First seen:2022-05-22 12:16:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0588ee478c2f970a1d27d379ec7f0453 (7 x RedLineStealer)
ssdeep 6144:2VF+4/fe363pFHgNowwi2PwlP5KpwoVriJCy7D/ORmuFMjUWNLf:2/vfOkp1Bi2PK5TariQ6clFMJN
Threatray 3'469 similar samples on MalwareBazaar
TLSH T1A494AE30BA90D035F4B392F4C57992A9B9397EA1AB2440CB52D57AFE56342D0EC3D317
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e3d0c4e72158 (4 x RedLineStealer, 1 x Stop, 1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer teambot2

Intelligence

File Origin
# of uploads :
1
# of downloads :
361
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f350e7e62aee0b419ce26318350ff7b0
Verdict:
Malicious activity
Analysis date:
2022-05-22 12:24:41 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/69e24efd-50c1-4998-8ddb-32db2d34ad7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273431/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19535/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/628a29fdeba388bb867f967d/reports/438db635-005c-4e76-8220-8a02894063ea/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24bcb113-a86d-4bba-83e5-7c267431ef12
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999331
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 12:17:08 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhmfbhjz4svbzugmrq7p5xap7peitdbo3h7skjrrnuvnrowletra._file
Verdict:
malicious
Similar samples:
04eb472779a21aaea0da53a19d85d756172b3bb387d91a07d43e907f296504d3
RedLineStealer
1a12ff0fc0c9ffc1d06b2f448eaa7ce816bfbc15614fb65c4157bd90e2fa4f88
RedLineStealer
5b1556fc720ead9f3505bbffa66fb38c1bd724fed4d09530a33e4b12cd300904
RedLineStealer
6347eda7821b2807e969568f9125af76656c78f222ccf221efa4b8b2a23adf0e
RedLineStealer
8e8f1b702c2fc78e020c6025ae7a9044512e8bca0af5c633dd21fecf2a7ecfd4
RedLineStealer
ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a
RedLineStealer
+ 3'459 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:palsup discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220522-pf1rraaac7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.150.103.38:40169
Unpacked files
SH256 hash:
075b3943963f255d2b6d8b556afe8ef2ac9ef282fcd70943b5b4e26eb7983145
MD5 hash:
d8f1fcf928132cacfca389f4693817ee
SHA1 hash:
9b3b5d18bcf421f6a43a367d79c5ee9ae19de00e
Link:
https://www.unpac.me/results/81003400-1c68-4c96-bd6d-533f28a0c0af/
SH256 hash:
a9f6842f8b53df735919f4c6ecf5a846dda7ffdb9da2150aa0609fe19c7a1211
MD5 hash:
5804982c6456c3b294b45121241037db
SHA1 hash:
7d942660f8d14f67a41c12c3e6b236e7dabe3d12
Link:
https://www.unpac.me/results/81003400-1c68-4c96-bd6d-533f28a0c0af/
SH256 hash:
8061601b8047a67208096c3f60199a48f0d4f68eeeaff59f088b5db7b2a6b781
MD5 hash:
67564dbaa645ba93916e7ca698987549
SHA1 hash:
6f5630155b54ed9c2eae9cbc371f58496d5e9fbb
Link:
https://www.unpac.me/results/81003400-1c68-4c96-bd6d-533f28a0c0af/
SH256 hash:
39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2
MD5 hash:
f350e7e62aee0b419ce26318350ff7b0
SHA1 hash:
4eedae798f07dd4562e54205b01a40131af25332
Link:
https://www.unpac.me/results/81003400-1c68-4c96-bd6d-533f28a0c0af/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39d8509d39e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 39d8509d39e4aa1cd0cc8c3efedc0ffbc8898c2ed9ff2526316d2ad8bacb24e2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2206611/
Cape
Cape
https://www.capesandbox.com/analysis/273431/

Comments


Avatar
zbet commented on 2022-05-22 12:16:51 UTC

url : hxxp://incricinfo.com/9/data64_2.exe