MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96
SHA3-384 hash:	1f4cdb05a797e000ed48f60d130b8c8e3eebdcd4f9e3f63fc9a3e30a60f5e318060a2819179d01eba297f6fe637774ed
SHA1 hash:	a1053b4031ac666f846d056a08360e174b463344
MD5 hash:	9b5c35af1cfbbd60500b69f830b51032
humanhash:	black-bulldog-wyoming-alanine
File name:	671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	757'048 bytes
First seen:	2021-09-15 07:10:13 UTC
Last seen:	2021-09-15 08:11:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:3CV3wn65bPgQnJq0kXBNVl/6aEusAgez64ehJSJO:kwqblJUBvd6aEusTeBehJQO
Threatray	668 similar samples on MalwareBazaar
TLSH	T1E2F4AE4D624C4B25D5BB0FB994624891473F6F53BD68F2AC2C1DF4D58AB3BC04E62A23
dhash icon	9e3371496973378e (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe FOXIT SOFTWARE INC. RedLineStealer signature not verify signed

Code Signing Certificate

Organisation:	FOXIT SOFTWARE INC.
Issuer:	DigiCert EV Code Signing CA (SHA2)
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-09-07T00:00:00Z
Valid to:	2022-05-19T12:00:00Z
Serial number:	072472f2386f4608a0790da2be8a48f7
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	fd7ef46ac5c97813cb7f6d16e006a1febaa9e11bd7f414dcba0fb047b1bef09f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96

Verdict:

Malicious activity

Analysis date:

2021-09-15 07:16:32 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/2976e364-08f7-480e-a5cb-420416ed3a11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/188021/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46968535.31202.28982.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/617515c29a5a1e91c5d20285/reports/d8dd0e18-988c-49ed-9cb3-b343f3f8cd6f/overview

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/792a8639-6cd3-4082-99ae-01c7f3cc54e3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96/

Threat name:

ByteCode-MSIL.Trojan.RedLineSteal

Status:

Malicious

First seen:

2021-09-14 14:56:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4p2xihltk6krisur5vfelhcssnwkwwsopn6rtenwyjxr4eixsla._file

Verdict:

malicious

RedLineStealer

52c8b2a76e11b6fab2913cde02aca252462f61a89e0436815e272fc74f0137ec

RedLineStealer

830b27683258b9f669a465aa971db78884f34dbe8d6fd261a4eae6e850b88c43

RedLineStealer

8d54f39dca652351657082145dcf19755740f1d807204a28345c8660c74546e2

RedLineStealer

8e1744ef99e2d9e8aa9447dd7495ea10c66c50d03125eda0574c1e29c71237ff

RedLineStealer

9b219f917b2990b8e0ab9a60f9d7b61c281dbef457b20c2b0a1e5e8b1989d74c

RedLineStealer

9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a

RedLineStealer

b948568e3dd6b10e2497a62c0d86a8ffa061cb8c1789e1b76d3b4ffde3dc64fd

RedLineStealer

d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6

RedLineStealer

e6caab24402f364bef57cd70a56650b7d657d3098e63361de7ddef5539199a66

RedLineStealer

+ 658 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:adsgoogle discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210915-hzyceaaag5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.217.152.142:43710

Unpacked files

SH256 hash:

17c71f8cda456fe85ea062ee7f135b4f3e5ba787190b9bb48e78917c22e0d5c7

MD5 hash:

b4d7f1ab1c81d93de8a2ff84d509404c

SHA1 hash:

df003f1270723c64050da615339657ca1767717c

Link:

https://www.unpac.me/results/8b75b054-34a7-4be2-bd0a-7f75abc6aec3/

SH256 hash:

8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be

MD5 hash:

4abff34e351e4e95514aecb515e8aea3

SHA1 hash:

742702e8c78e7cf19f19e56a6cdb2d1811759710

Link:

https://www.unpac.me/results/8b75b054-34a7-4be2-bd0a-7f75abc6aec3/

SH256 hash:

04245fb34bc33b5d95b779456d4dd907a219bbe4d894110c41d4fd1e514c8548

MD5 hash:

5c52ffc11abde75dbbf846e4def669e5

SHA1 hash:

2f1a74b8a74cc1a3b0b5197f9838b5f9b2ba8dfa

Link:

https://www.unpac.me/results/8b75b054-34a7-4be2-bd0a-7f75abc6aec3/

SH256 hash:

671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96

MD5 hash:

9b5c35af1cfbbd60500b69f830b51032

SHA1 hash:

a1053b4031ac666f846d056a08360e174b463344

Link:

https://www.unpac.me/results/8b75b054-34a7-4be2-bd0a-7f75abc6aec3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/671faba0eb9a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/188021/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample