MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9
SHA3-384 hash: 13d7fb1892851d2a3d756c9e7dbe5e2e853029965952f247c8f06e65b536b18cfc26d03f707c619b89910abc42f82fde
SHA1 hash: 44f92e07f708fb79124755746e29c10ad6296db7
MD5 hash: 2d140a33c8353961ac1e03f16abb6404
humanhash: princess-september-avocado-august
File name:2d140a33c8353961ac1e03f16abb6404.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'040'131 bytes
First seen:2021-09-20 07:03:26 UTC
Last seen:2021-09-20 08:03:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2061d2d60e6bc0fdd621117f51b85f97 (2 x RedLineStealer)
ssdeep 49152:gxfWynrnGxFj5uZ7y5d172BZxwXXiCn4W9v1IetigJxddAr/JG2mXEsW68xaTrF:4fWO4B5MyJTHxn4VexYraU2VrF
Threatray 6 similar samples on MalwareBazaar
TLSH T10CE5336F66EBB4E8F943D033FC3D90851087ADB29091E9BE076C0FA9A77215C4B57A11
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d140a33c8353961ac1e03f16abb6404.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 07:06:30 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/28adab1f-4578-4a8f-b2ca-fe3d39a43c10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189236/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401329.8835.21567.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02e8eb49-6154-4111-9f0a-0c4f94e0c843
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853787
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 20:00:06 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2
RedLineStealer
41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
RedLineStealer
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
RedLineStealer
99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab
RedLineStealer
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
RedLineStealer
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:my evasion infostealer spyware trojan
Link:
https://tria.ge/reports/210920-hvzdxafhak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
91.206.14.151:28529
Unpacked files
SH256 hash:
902fc5bcf3f7eb5ee1b62fc989ceaeeb1ac28412c4feb5e29b4d40995cd0df48
MD5 hash:
fad7ade0ffa39c23a3ea67e0d734d545
SHA1 hash:
80726e4f30c35ff9f0f5d60ce4fd880e8d1975d4
Link:
https://www.unpac.me/results/3fa9840a-b1dd-482a-8a0c-ea3378681796/
SH256 hash:
94ad447d0897fb047b2fb2c1f56d8a04a002f3f894486b2c61d3946b6121cd2a
MD5 hash:
f4ad695129a3c67c734fc5866b97d812
SHA1 hash:
5bbed484cccf2696fa851a09fcc52e0ce8399071
Link:
https://www.unpac.me/results/3fa9840a-b1dd-482a-8a0c-ea3378681796/
SH256 hash:
5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9
MD5 hash:
2d140a33c8353961ac1e03f16abb6404
SHA1 hash:
44f92e07f708fb79124755746e29c10ad6296db7
Link:
https://www.unpac.me/results/3fa9840a-b1dd-482a-8a0c-ea3378681796/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549206/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189236/

Comments