MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 431e0e96322e3ec89eca1b772547cb52a2286f821496d6a229f079d9032c175b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	431e0e96322e3ec89eca1b772547cb52a2286f821496d6a229f079d9032c175b
SHA3-384 hash:	b1be692aa5bfbc4f79c4c95b71a218569617c486f26031f7ee0b0c28ece7ed700a2c9a73b8ae72d5ce67692d9ae55883
SHA1 hash:	ac2befc8776fef3dd49a50bdaf082aea2ae70909
MD5 hash:	88d642423d2184e026ff24923bee6546
humanhash:	dakota-seventeen-monkey-bravo
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'543'311 bytes
First seen:	2022-08-25 11:07:03 UTC
Last seen:	2022-09-01 09:19:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:0FCleZZYxYV50sOZM21B5JKlGT6qKmnyDcMszax9sjfgvdfLmWq9NJHl3RuQ553i:GGeeYI9ex9sjfgvdfH+NJHl3m
Threatray	5'057 similar samples on MalwareBazaar
TLSH	T189C51A139A8B0E75DDC23BB461CB633AA734FD30CA3A9B7BF609C53559532C4681A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc746114588_646327570?hash=c02bPSCiLWZpMtpLz9mcLGcoAI9yMq6pZ0Zwm6RNbu0&dl=G42DMMJRGQ2TQOA:1661424798:v7MAbfCvHvZO3bVySJQQ0wDkDBqbrUFrYh9wuMqaFss&api=1&no_preview=1#ruzki

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-08-25 11:16:14 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/202b5193-32bc-495f-a5a3-0d83f3c7629d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301134/

Detection(s):

SecuriteInfo.com.Variant.Babar.97240.14650.4524.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30056/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug overlay spyeye

Link:

https://www.filescan.io/uploads/63075871c9bbd9909792855a/reports/586b2e10-e6ab-4169-9d6a-b8be8347d2d8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59d159b3-5b5a-4ca5-aed0-4c4d9a47a6b0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1057640

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/431e0e96322e3ec89eca1b772547cb52a2286f821496d6a229f079d9032c175b/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-08-25 11:08:11 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=impa5frsfy7mrhwkdn3skr6lkkrcq34ccslnnirj6b45sazmc5nq._file

Verdict:

malicious

RedLineStealer

1572b0b39817b06c1f40656fdb7c8797195af7c49c55c7d5841f9a191666decf

RedLineStealer

1cfedc5f4417fb610918bef30a1c9ed9c131a66be880f4f87bb8bd316a928417

RedLineStealer

3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47

RedLineStealer

7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

RedLineStealer

8f934a6a1ec0c12a75bee680a9633e0f19d23b9b671d97a7d9b804d697ea5a08

RedLineStealer

b4464d19bcb77bf0e29a7be36f4f6cf621f347c50156ca4c5af1df9cd64e29dd

RedLineStealer

+ 5'047 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki9 infostealer spyware

Link:

https://tria.ge/reports/220825-m8jmtsdaa2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

176.113.115.146:9582

Unpacked files

SH256 hash:

b71e664bbf625111c8fe0900b819f093d26a1e5fe740507429acc9c9cb6be9f5

MD5 hash:

17c8096b2772653bb44b9ebd405b9412

SHA1 hash:

2989795ae079428bbfd9f4f8353e3f85c1a77581

Link:

https://www.unpac.me/results/b32579d8-8769-4a8a-802a-474cbf0a74aa/

SH256 hash:

431e0e96322e3ec89eca1b772547cb52a2286f821496d6a229f079d9032c175b

MD5 hash:

88d642423d2184e026ff24923bee6546

SHA1 hash:

ac2befc8776fef3dd49a50bdaf082aea2ae70909

Link:

https://www.unpac.me/results/b32579d8-8769-4a8a-802a-474cbf0a74aa/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/431e0e96322e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/431e0e96322e3ec89eca1b772547cb52a2286f821496d6a229f079d9032c175b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/301134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample