MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32
SHA3-384 hash:	6aebdf1c6c3574e0f2e8b7333ddc02acff2887ac419c2db5fd057cf01b58b7d576d25e0c4afc98f13df27e37d47d6697
SHA1 hash:	6f260f4cb0ded66c3ae7d44c1f52ba221c6365ee
MD5 hash:	6bf5488cbc8b5475997c8f9feb9b80f6
humanhash:	eight-cardinal-aspen-enemy
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'466'568 bytes
First seen:	2022-09-09 10:07:11 UTC
Last seen:	2022-09-09 18:41:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:Hk77TrciDl2xUk4ghirAZyoKuscuLERFlq/at8w0b7DOXsWGD/JBACHkJdGBP:HkHTAGryirAZyozrYSV0b/Oc1DBeOkJA
Threatray	5'040 similar samples on MalwareBazaar
TLSH	T1FF6523227691C272E47705B044F7CF6ABE19707703A444C7B99F62EA5E603F5E22D2CA
TrID	56.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4505/5/1) 3.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Ⅰ Ⅱ Ⅲ Ⅳ Ⅴ Ⅵ Ⅶ Ⅷ Ⅸ Ⅹ Ⅺ Ⅻ
Issuer:	Ⅰ Ⅱ Ⅲ Ⅳ Ⅴ Ⅵ Ⅶ Ⅷ Ⅸ Ⅹ Ⅺ Ⅻ
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-09-07T20:19:15Z
Valid to:	2032-09-08T20:19:15Z
Serial number:	43f4e6ab92e40abf49f999adb550e170
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	2f9037fb1fe320c936c45b5fdcc4d865439a43c1db835e34cf9687b18fb4f6c6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://espegy.com/wp-content/uploads/2022/09/notepad.exe

Intelligence

File Origin

# of uploads :

# of downloads :

338

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-09 10:11:09 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/305d179c-e3ab-43fe-924b-02ccb8db9a1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308969/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Creating a window

Running batch commands

Creating a process with a hidden window

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37196/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EnumerateProcesses

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/631b10ff55480bd187d80f0e/reports/7aafe37f-ac2d-40b3-9cde-1b3f3259cc01/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aee3ecb5-3cb7-457e-92c6-2864d8482230

Result

Threat name:

AsyncRAT, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1067705

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AsyncRAT

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-09-09 10:08:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcfv4onk7xyprw4twchj43p4lfbqyvgry7fiit3cmzc6aaibvqza._file

Verdict:

malicious

RedLineStealer

1fecd284567ab13f0c92dad3ae05fc2f4f1ad678de8bcceca62991f88990d090

RedLineStealer

2032f4c705391c616308c070f4aa16aed376c18cdc1deb207e8c9048edb0cce8

RedLineStealer

21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421

RedLineStealer

23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02

RedLineStealer

408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f

RedLineStealer

7da2d1a4480abcd09e623396da276219ca59bebbb221a09f465f0f66ecc2a571

RedLineStealer

ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf

RedLineStealer

cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c

RedLineStealer

+ 5'030 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220909-l571ksghg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

d141b46f6fee577c38bddacbd7bee58a9a464fdad9adf6ed461a18c5ef7fd7fa

MD5 hash:

e182cb188bdee63651ccc0c001d3e771

SHA1 hash:

b4cdc2c32c8e05925571f635e3bc1ebc160b337c

Link:

https://www.unpac.me/results/a01470a9-f791-4b26-9cc3-400c901703e7/

SH256 hash:

743787f128c66c9d88497c5fb2a6a5b60c5462bae0b0f8bc9152e52710569a01

MD5 hash:

1e6f0824e307af1da1537927dad39084

SHA1 hash:

8cb69e181600d37a6e033bd7ac719e88bba85100

Link:

https://www.unpac.me/results/a01470a9-f791-4b26-9cc3-400c901703e7/

SH256 hash:

888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32

MD5 hash:

6bf5488cbc8b5475997c8f9feb9b80f6

SHA1 hash:

6f260f4cb0ded66c3ae7d44c1f52ba221c6365ee

Link:

https://www.unpac.me/results/a01470a9-f791-4b26-9cc3-400c901703e7/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/888b5e39aafd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/308969/

URLhaus

https://urlhaus.abuse.ch/url/2297681/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample