MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b
SHA3-384 hash:	950e544b5710e101546a366bcf26790375cfc1c186d380fecd312bfad7ed93484a768a2fe9e523e87d6223d0ec95d9cc
SHA1 hash:	3244da3e542246f96efa14daf699c8f2c5390da7
MD5 hash:	96c135845ebc9d611bcf8bf17972f0b5
humanhash:	nebraska-eight-yankee-timing
File name:	SecuriteInfo.com.Trojan.PWS.Stealer.37076.12071.9961
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	245'248 bytes
First seen:	2023-08-28 02:43:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0789ffb4698151ed5478258ac60f998a (1 x RedLineStealer)
ssdeep	3072:OKppHwFECxXcdiy0mgK3cy0Q9WVoaae81CbuUN0BPkf11gr42xfsjwsfuB/:tMECxXcm4MpQXACn0nisjvfuB
TLSH	T1D2343ABE64E06860EC81B2FB4351BF6CE57634169AE0933D137A22E6736E5C0C778671
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Trojan.PWS.Stealer.37076.12071.9961

Verdict:

Malicious activity

Analysis date:

2023-08-28 02:43:15 UTC

Tags:

stealer redline

Link:

https://app.any.run/tasks/41f028a3-9084-4456-a025-751a8e0de282

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.37076.12071.9961.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware masquerade

Link:

https://www.filescan.io/uploads/64ec09f3b3b7d7c782d08196/reports/bbeddb82-31ab-49f1-8021-3c76026f51f7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

WeeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0306cb9-3c6c-4064-b331-4d41fdfa54b5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1298463

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-08-28 00:18:44 UTC

File Type:

PE (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rdmweipzf732i2n7fscxhr6nhx6h3wulwercfhmvsgyzfr6ez4fq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1smokiez_build infostealer spyware stealer

Link:

https://tria.ge/reports/230828-c755bsgg7v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

194.169.175.232:45450

Unpacked files

SH256 hash:

8e8e0373770eca3d6a83754b2b03a2aa4fb656da0fdf9ca7a22cec635e6456e6

MD5 hash:

95648a7a02ef3b1d3d4b75ec95321ae7

SHA1 hash:

a59f6b324262cbb6a506e6ba83070111f9ddc13d

Link:

https://www.unpac.me/results/a14e4b36-9680-4dda-b65a-d575decac20c/

SH256 hash:

8527c6bd10918acad665a69a4bee768a93f8bd4a6e5df9524db8ccb15908cd6d

MD5 hash:

a92d1176998ed38971164677ba713e01

SHA1 hash:

03cc7779822fc2daaa2912b69be4d39bcac120aa

Detections:

redline

Link:

https://www.unpac.me/results/a14e4b36-9680-4dda-b65a-d575decac20c/

Parent samples :

8222ee950ed5797be9775e4f663b77bcfd2cd167e3c507a64728f4caf01158cc
eb3d0d631eba885dfd0f9125726dc5722d778e84ff84674799f37e640ac7916f
7ccebb35a6047b4f54b86986f3c18a6676a242e6eb11ebba584dace0a1f18f7e
903d6e4d7f146a084a7d7cec6eda2d10efaf217351bb73fe0b7a785affc5d73f
88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b
f45b35a54f3e388a312240466400b90ecde40f1e5b13aed562cee585cedc0273

SH256 hash:

88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b

MD5 hash:

96c135845ebc9d611bcf8bf17972f0b5

SHA1 hash:

3244da3e542246f96efa14daf699c8f2c5390da7

Link:

https://www.unpac.me/results/a14e4b36-9680-4dda-b65a-d575decac20c/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/88d96221f92f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 88d96221f92ff7a469bf2c8573c7cd3dfc7dda8bb122229d9591b192c7c4cf0b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2707433/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2706937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample