MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67f3c69154571f01ae4fcdf95145f35f534acca15ec2ad643aea52c4210a4327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67f3c69154571f01ae4fcdf95145f35f534acca15ec2ad643aea52c4210a4327
SHA3-384 hash: 1c6f0bfef824f9075a43587f27ca2a256be627bc9ad24372e42da27af1348d70dc9c1605c0ab2d5084ff2086802a715c
SHA1 hash: d2f535c00782cebe5de62a836843d0704c1aa95c
MD5 hash: 8f9a3449cfd1547cdffe6053fced3a87
humanhash: thirteen-july-carolina-arkansas
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'228'800 bytes
First seen:2022-08-25 09:10:07 UTC
Last seen:2022-08-25 16:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:+NJTEm8qGfHoMeGwWzXjVQ3EGLkRdPirtfvT9/AFfo1:+J8qGfIyzXRQ3ECk3ihfvxI5o1
Threatray 35 similar samples on MalwareBazaar
TLSH T11336127392A4116AD0E5DC398937FEF131F5172B8B41E8F6E9992AC5142A1E0B333D93
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 69c8d4aa86069806 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Sony SEL-55210` 55-210mm F4.5-6.3
Issuer:Sony SEL-55210` 55-210mm F4.5-6.3
Algorithm:sha1WithRSAEncryption
Valid from:2022-08-04T17:15:41Z
Valid to:2032-08-05T17:15:41Z
Serial number: 71af883ca5c1f6a5468e1d000e8f62a0
Intelligence: 21 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2fc8f2eef60b60562725a8399069d699021051435488d136c8cd8b691b4ca9ff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc746114504_647285914?hash=5uvOeNq2wIvEXerdeYIvaBJyZzZRFuamgciZtiP8ep8&dl=G42DMMJRGQ2TANA:1661417496:Iu75WK1MJSK5Bk0QCiO2Lj38VlSU0lpb8SdSVpb0LFL&api=1&no_preview=1WBD&api=1&no_preview=1gt4&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
7
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-25 09:11:32 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/232eef7e-79fd-4248-8ff5-1744917258f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301079/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/63073cb0b6f2a6ec1d63455e/reports/0c6b6b37-7a2c-4cc1-acb6-f73f5fc28bb1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cb4869f8-752c-4e74-9d4d-cee4cadc73a2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057569
Signature
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67f3c69154571f01ae4fcdf95145f35f534acca15ec2ad643aea52c4210a4327/
Threat name:
Win32.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 09:11:12 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7z4nekuk4pqdlspzx4vcrptl5juvtfbl3bk2zb25jjmiiikimtq._file
Verdict:
malicious
Similar samples:
0b636826bd9fc3e6d177d445f8ef354cbe659fcbd4740d41eba3c2a8e5a499aa
RedLineStealer
573695b2ac9e3a239ecddee3b688aece5257db0677bf551a259a41b31db07050
RedLineStealer
598586893fb0e16e8ed4d6fda07e534a8907cc29df41187f825919056f1a37f4
RedLineStealer
6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22
RedLineStealer
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
RedLineStealer
b5f9db69c3cdf53a216cef5fc4a2b0269fd231def5f0153d4f31d4c7a4cdd9c5
RedLineStealer
d8532777789b75a7832538210f185fa048550a2b735cc52dbab2622acc619c93
RedLineStealer
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
RedLineStealer
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
RedLineStealer
+ 25 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220825-k5k1dabfd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
ba212c8f0abe3910c917e56dba9471f48a11eb167d09ed7cc5f9e67a8005f142
MD5 hash:
16b639544646d5f39708c252b4d782c8
SHA1 hash:
c345aa2aaee332c3e24e7a061773138dd5ca34e5
Link:
https://www.unpac.me/results/db167ab6-3c04-4462-9190-b9907f51aa0d/
SH256 hash:
161b8b561b23313ed24a2a85e9f119312758446598ddcd492d097ab187b8b62a
MD5 hash:
bfe88e4c9d4a2a9d36e1fe1364cf2aba
SHA1 hash:
76def28f758c936e134ac18adca2fa7c99f03c27
Link:
https://www.unpac.me/results/db167ab6-3c04-4462-9190-b9907f51aa0d/
SH256 hash:
67f3c69154571f01ae4fcdf95145f35f534acca15ec2ad643aea52c4210a4327
MD5 hash:
8f9a3449cfd1547cdffe6053fced3a87
SHA1 hash:
d2f535c00782cebe5de62a836843d0704c1aa95c
Link:
https://www.unpac.me/results/db167ab6-3c04-4462-9190-b9907f51aa0d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67f3c6915457/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67f3c69154571f01ae4fcdf95145f35f534acca15ec2ad643aea52c4210a4327

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/301079/

Comments