MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments 1

SHA256 hash:	61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
SHA3-384 hash:	26967297a79c63227772b496b36c7aa7a251654f289af2a2c706e81cd177b30a13268b91ee1c0052c86dfce358323ab2
SHA1 hash:	f4e8c44ff923bf7bb0f5a4b8c104d8d79d4b93e8
MD5 hash:	a3cd270378287770bdd9fdb2b59e5588
humanhash:	maryland-uniform-butter-ohio
File name:	a3cd270378287770bdd9fdb2b59e5588
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'139'280 bytes
First seen:	2021-08-06 10:12:44 UTC
Last seen:	2021-08-06 11:12:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:n6sYBfAryN44VkQk6rDIoPqi2Vg1jFVZ2fM75O7qgnSxLNI:n6lt4d596nI5jWFPaY5O7qFq
Threatray	3'973 similar samples on MalwareBazaar
TLSH	T14FE533B9DFE4087BCF70FC724D332136018F2D18D861D52A6A9A77882E366504E676ED
dhash icon	9633694d4d193386 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a3cd270378287770bdd9fdb2b59e5588

Verdict:

Malicious activity

Analysis date:

2021-08-06 10:16:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/3267f935-b020-47ab-8609-d2264b8e19db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/176959/

Detection(s):

SecuriteInfo.com.Variant.Razy.901307.29224.19490.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

DNS request

Connection attempt

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Sending a UDP request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d864bf16-bc3a-43ef-bf72-6f5c2dbcc7f1

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/828211

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948/

Threat name:

Win32.Infostealer.Reline

Status:

Malicious

First seen:

2021-08-04 01:07:00 UTC

AV detection:

25 of 47 (53.19%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330

RedLineStealer

50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce

RedLineStealer

714a30085b93988295ea7b732d24384db7bb3be843e20acd447ae8dd258db7a8

RedLineStealer

8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d

RedLineStealer

966587a4421c9d7cab7b5defc79a47e7c319f0bd4166678d3a0425b85ca540bb

RedLineStealer

a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b

RedLineStealer

c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54

RedLineStealer

+ 3'963 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery evasion infostealer spyware stealer themida trojan

Link:

https://tria.ge/reports/210806-zk76qdwagj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Unpacked files

SH256 hash:

dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a

MD5 hash:

c02a029c978f13b753c6b578b1588c75

SHA1 hash:

e125d59451e7f467bfd329a00a506decbcd91d83

Link:

https://www.unpac.me/results/b73a6988-ccb5-44ec-8cb1-dfe59791c501/

SH256 hash:

61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948

MD5 hash:

a3cd270378287770bdd9fdb2b59e5588

SHA1 hash:

f4e8c44ff923bf7bb0f5a4b8c104d8d79d4b93e8

Link:

https://www.unpac.me/results/b73a6988-ccb5-44ec-8cb1-dfe59791c501/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/61cafe16ef31/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_mem Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)