MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5
SHA3-384 hash: f787cdb5198209f0b26fa4e2d326d98ce6b887a000f288c1db1b92bb1180a20cd79f530047fba3ef7dfe428beadaf6d6
SHA1 hash: d954337798846a9b8fb2609f94f287dbe63a03f8
MD5 hash: 29d0bf8a76f51a9ec7d39f90cd7a5f57
humanhash: cola-montana-beer-charlie
File name:29d0bf8a76f51a9ec7d39f90cd7a5f57.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'373'176 bytes
First seen:2021-03-14 16:55:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40a3e3e00b1cad3ab67c828af845a553 (4 x RedLineStealer)
ssdeep 98304:iyNR/rSZFTFi+Hr0d9oNwG/X+o9nEa+7Zi0RkOMrrDz6Pad6o:XNR/GZLHId9oNwG/X+ySivrgRo
Threatray 385 similar samples on MalwareBazaar
TLSH 9A4601F381F103C8D58ED9F95B06FBD0AABF0A6A3A759475E49636FC33E14989202513
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exe
Verdict:
Malicious activity
Analysis date:
2021-03-14 17:01:06 UTC
Tags:
rat redline trojan stealer
Link:
https://app.any.run/tasks/6ae731db-a3e7-4ad6-821a-4f8a8fe02f1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124207/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.38502.2151.23068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for analyzing tools
Searching for the window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a file
Launching a process
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/638885
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-03-13 17:24:51 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
RedLineStealer
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
RedLineStealer
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
RedLineStealer
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
RedLineStealer
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
RedLineStealer
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
RedLineStealer
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
RedLineStealer
92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a
RedLineStealer
af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991
RedLineStealer
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
RedLineStealer
+ 375 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210314-wb2mf7jl3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
themida
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
6ec32187a383702c1dce4ee42b1c214545e199574cbd6fb260f277cbf9361d70
MD5 hash:
4c6015f507c994000e1195760c6107df
SHA1 hash:
63fd9b5292c5a98fb731482cf0c756e391c25eec
Link:
https://www.unpac.me/results/f97396e2-6d92-4895-96ae-421fc6efb904/
SH256 hash:
86e2bf96be9346472405cc333bd2bdc1c7cbc449fa88bb765d368a3d749824f6
MD5 hash:
a795c539c51822939ebf5c0a13b05078
SHA1 hash:
1c234935f4fb8c2e7c0ded57b4c9759387b68c8f
Link:
https://www.unpac.me/results/f97396e2-6d92-4895-96ae-421fc6efb904/
SH256 hash:
d9310d5abac331f806ac9a247f35c0b415843cc39f14014a9a03495747d27d26
MD5 hash:
5dd3ac675ea4f5d912d4cfa5e3fd127c
SHA1 hash:
4a28568f5dc548d0d0a7bdcb041d8287ace89252
Link:
https://www.unpac.me/results/f97396e2-6d92-4895-96ae-421fc6efb904/
SH256 hash:
7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5
MD5 hash:
29d0bf8a76f51a9ec7d39f90cd7a5f57
SHA1 hash:
d954337798846a9b8fb2609f94f287dbe63a03f8
Link:
https://www.unpac.me/results/f97396e2-6d92-4895-96ae-421fc6efb904/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/124207/
  
URLhaus
https://urlhaus.abuse.ch/url/1065065/
  
Delivery method
Distributed via web download

Comments