MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17
SHA3-384 hash:	31e246f71f1bbfeb8c6791163d1003b107aa89cf1f6ed85c412f5ed1e24e30ce700ba1facb5bd781166a5d0f51580a64
SHA1 hash:	4ae8ccddfb73a650a6355cf1b69d478fff260a18
MD5 hash:	b943dd9aeb52f6548c471f17dc25bed2
humanhash:	august-snake-bakerloo-october
File name:	b943dd9aeb52f6548c471f17dc25bed2.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'025'376 bytes
First seen:	2022-03-24 00:18:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9c75e1a3cf4e1770f5ac16f4c76fc1f0 (1 x RedLineStealer)
ssdeep	24576:F4qDRLweDvDKqLvAlj1CtmnQdS61Ad+hQoNLxTXKVi:axeDvDKhlvnQc61hioNLxUi
Threatray	1'341 similar samples on MalwareBazaar
TLSH	T14B252321A7E9C631C0554732D8A39B268A22F113609C9FD713BDEE2EDED37267CD2245
File icon (PE):
dhash icon	f485332971731e58 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
89.208.137.76:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
89.208.137.76:80	https://threatfox.abuse.ch/ioc/444413/

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/256960/

Detection(s):

Win.Packed.Obsidium-9942120-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit fake greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623bb90fdfdfa8501cd5472b/reports/613c6bdd-5793-4a36-bbbe-f04f3dc9703f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a909688a-b995-430d-b5c5-7f2e959724e3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963366

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Yara detected MSILDownloaderGeneric

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-20 16:43:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 42 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=inwja4lbmgjfcd2oyoajdcyc2f5carx4oqbuzswzboaa7tmnvmlq._file

Verdict:

malicious

RedLineStealer

5bbe20646d38c2bb4bc38650649633c5a78522a6ea2f09f04cb6be0f3075544e

RedLineStealer

a1fb53720f755909dee2f5fe9c8015ed9b5e52817dd9a91d6ed7762eaa9faa2d

RedLineStealer

aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073

RedLineStealer

ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e

RedLineStealer

c6045ce3162c17ebce174609ecbca8e5024a69edcc37c89bc60ff2e07cb52475

RedLineStealer

+ 1'331 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer persistence spyware stealer

Link:

https://tria.ge/reports/220324-al7d6abbh9/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Unpacked files

SH256 hash:

527337e4d6e96e808ec30afd892b9d842a3e085d5c4812d97f2a59946a1466ba

MD5 hash:

e332f44fb2e00267d9549f2189f88bbe

SHA1 hash:

022d8139001a5f2d9ce405cbc31f9c348a73e13f

Link:

https://www.unpac.me/results/163bf69f-1a4b-4910-89e2-1d1b3124b4fb/

SH256 hash:

436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17

MD5 hash:

b943dd9aeb52f6548c471f17dc25bed2

SHA1 hash:

4ae8ccddfb73a650a6355cf1b69d478fff260a18

Link:

https://www.unpac.me/results/163bf69f-1a4b-4910-89e2-1d1b3124b4fb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/436c90716161/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	PowerTool Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerTool, sometimes used by attackers to disable security software.
Reference:	https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/256960/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample