MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7
SHA3-384 hash: 4af5c9af5ba90e63fa7cf0203ac7fcc6fbc23d44d5e3455b08e9c8243d42ef0a227798eba53740a4cf5069141d8016ab
SHA1 hash: eef8aa298f25b68ed297a8f2e52b06f37c0e2a1b
MD5 hash: ca65a8331e95305fc9ef541933a7e48f
humanhash: one-enemy-lactose-timing
File name:ca65a8331e95305fc9ef541933a7e48f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:411'648 bytes
First seen:2021-03-13 08:43:05 UTC
Last seen:2021-03-13 10:31:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash edaf90ef51f583d8b86281ef2b5e6c9c (1 x RedLineStealer)
ssdeep 6144:RsxSJt/sQKpz0epARzpec+Tota6xXcojEeJiVqdnhN4Y:Riit/ypz0epAhgc+E/lFhSY
Threatray 219 similar samples on MalwareBazaar
TLSH 6294AE21B6E0F030F6F306B559F982B5A935BD30173980CBA2D6279E5A346E5EC31B53
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b6dee904e73c8c039098ab870346e85.exe
Verdict:
Malicious activity
Analysis date:
2021-03-13 08:44:16 UTC
Tags:
evasion trojan rat redline phishing
Link:
https://app.any.run/tasks/25564add-ee9c-4610-9a6b-4f673d642b52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124086/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.62784.29499.23274.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/638544
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-03-12 01:24:14 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6okdimoxgs4le4ktj2kcbzkit55czufc4sgrzq4pjlevalvzgtq._file
Verdict:
malicious
Similar samples:
0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537
RedLineStealer
2852a664525d2400ec504f287eee68bc78f1079bcf5d8f3250e3a0a90cc62d1b
RedLineStealer
687459064daabf67f8b61dc974e0b531f07aeda1f2084ae5ae6f2e1ab85a453c
RedLineStealer
808be962b671de3c658a363c3ca14ea5181d3669f0a23f0263a175e9416daab5
RedLineStealer
9024b91ce7d51dcba37b1c4d50e89d0819ef236f2e8adaac8e935dbdc49de99c
RedLineStealer
a0e6efd5e5cbefe2a59d0f5d0aa4486a7857c4f7658cd36489c4f41fd3fd0382
RedLineStealer
ab22c95510080faac2e49e26359995096e891b1043fc9f62dbff27e166c98316
RedLineStealer
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
RedLineStealer
ef8dc2b4c4b327b65fa0332afd58c2172f1bac69d6b1d15037cd4878cfdd96df
RedLineStealer
feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
RedLineStealer
+ 209 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210313-re461jamka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
583fb2d17e6483e4536ae0ee91dcc886beae68db3385b44d269d210f9ef9af5a
MD5 hash:
1eac6630eeb66b8e02c7de3f936b6593
SHA1 hash:
6bde6dfd3c87209a256bfb432a50e4e761fd0d0b
Link:
https://www.unpac.me/results/ce7bc47a-9f21-47be-a456-93fcab7b7cde/
SH256 hash:
9644c4d3b7b601765d371e6a2acaa8ddbf14e5d1cfbf4ef62e70343cb9b63fe9
MD5 hash:
72e8355ba84463febb84b9e171b8b090
SHA1 hash:
30aac2909b3007245bdb34de4ca31dd959ccdbf3
Link:
https://www.unpac.me/results/ce7bc47a-9f21-47be-a456-93fcab7b7cde/
SH256 hash:
0dc37bf059a44a011fad8323c4384155ba477d439f0b411950795bf59e9a62fa
MD5 hash:
e8d3849d676a961339c16ea57fb0a95c
SHA1 hash:
0e96ad359c388f7f8e051d9371cfb1fdf469c6ec
Link:
https://www.unpac.me/results/ce7bc47a-9f21-47be-a456-93fcab7b7cde/
SH256 hash:
6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7
MD5 hash:
ca65a8331e95305fc9ef541933a7e48f
SHA1 hash:
eef8aa298f25b68ed297a8f2e52b06f37c0e2a1b
Link:
https://www.unpac.me/results/ce7bc47a-9f21-47be-a456-93fcab7b7cde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MultiPlug
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6f9ca1a18eb9a5c5938a9a74a1072a44fbd16685172468e61c7a564a8175c9a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1056715/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124086/

Comments