MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7
SHA3-384 hash: d48175d44dbb6a99b9fffa526d709a96780fa384a00cd8dc917f67dc08b41ca32c0329fbcab4b4a69bdb94da3d141a08
SHA1 hash: e13d29c222074b09fe69f8a9ee8f6d63adfbde6b
MD5 hash: 298e85806448b33ff3cda9e2bbfbe651
humanhash: mirror-hawaii-kansas-fillet
File name:298e85806448b33ff3cda9e2bbfbe651
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:635'016 bytes
First seen:2022-01-17 12:27:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a7e176cd4b5400b26b3ab45b5a49c5c (1 x RedLineStealer)
ssdeep 12288:GQWY0SighvhuttH6CtTDDUo0aO/7JV63wbXjkya+ISdNnDcdI:Gu0S7hvhytaCbUo0f/7/63iIy7cdI
Threatray 32 similar samples on MalwareBazaar
TLSH T192D4021635A151D1E2D3E2F86B41833BF156EAC7200287B56BE1DD8BB8DB93D930E0D9
File icon (PE):PE icon
dhash icon de370d5d65330fa6 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Polaroid Candy ILV (ZJ-2009-02)
Issuer:Polaroid Candy ILV (ZJ-2009-02)
Algorithm:sha1WithRSAEncryption
Valid from:2022-01-14T22:51:20Z
Valid to:2032-01-15T22:51:20Z
Serial number: 62afe29ef480238e4b41027e4a94388a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6955d4f5d2cf7279e06747a14c3ff78d3b7d7ee2783d8e2e1e7a8a1a2ece1beb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
298e85806448b33ff3cda9e2bbfbe651
Verdict:
Malicious activity
Analysis date:
2022-01-17 12:31:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7546a2c3-82b5-4978-9a07-5eb729466401

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219836/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38560040.461.16367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed print.exe shell32.dll
Link:
https://www.filescan.io/uploads/61e560d70f8c757253c457c5/reports/80f0b27c-d3a7-4ae4-a050-6d46afd2343a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac65d66b-ad5f-4009-862c-ff50ea30875d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921783
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 12:28:12 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
suspicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234
RedLineStealer
31766eecb30b54ce96546c75d37a133ee490b808e71b99c59b2e0cf703a27553
RedLineStealer
36d1c7bd0d09f604463f4e5ed69d13242104989fcd38196acc9b20404ceb61b5
RedLineStealer
39e1259929a3470b6d064daadf4742ddd59065fa1d72aa334ed298648f27697f
RedLineStealer
6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208
RedLineStealer
b912d450e6f45f40fcc8d4d6a056206667f56b4a61100e2c3f43589c50bd6e6e
RedLineStealer
f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053
RedLineStealer
f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220117-pnb4csadcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7ee25fae24212273535209db9ba2b9bc94706702cd3d943d8e146d53752e72e4
MD5 hash:
579faa2046985013f468833b23680efd
SHA1 hash:
0da833cab679a335814507f9dabe97c0c3b3c359
Link:
https://www.unpac.me/results/fd525129-f62a-4199-94b3-e6904b6113a8/
SH256 hash:
681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7
MD5 hash:
298e85806448b33ff3cda9e2bbfbe651
SHA1 hash:
e13d29c222074b09fe69f8a9ee8f6d63adfbde6b
Link:
https://www.unpac.me/results/fd525129-f62a-4199-94b3-e6904b6113a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 681b36ba964707a5e9b7d132c96c4407d35fad89e3edb57c49291724fc1c00f7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1983632/
Cape
Cape
https://www.capesandbox.com/analysis/219836/

Comments


Avatar
zbet commented on 2022-01-17 12:27:50 UTC

url : hxxp://data-host-coin-8.com/files/8399_1642415944_3245.exe