MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f
SHA3-384 hash:	c8281d682e7755fc6878e2728e8e681f536fcff7dfcd976edaa646438ce5386320b4ebc43797fdf9a9279e118e5b60c4
SHA1 hash:	d9783a2381c3da1cf394844ee35d6662992e0766
MD5 hash:	cf9103c3643f099ff2b4bf9d7258c54f
humanhash:	nevada-louisiana-wyoming-north
File name:	RedFlame.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'106'816 bytes
First seen:	2021-09-19 19:14:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:Zgw8gCbfwf3saJZrvyu2nJZ7s1lEgx5tmOfy8RuiOkO9G0rgf/VXiPo1LHkqdi8:Zf4w/saJpGJJs1jx5fyouR7G0UnVSPyt
Threatray	5'935 similar samples on MalwareBazaar
TLSH	T1B4E512D530C97C8BF3A20C31E75758953264CE07CBBB9161390AF7C6BAB64B49226D4E
File icon (PE):
dhash icon	18b2f06171dccc64 (12 x RedLineStealer)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RedFlame.exe

Verdict:

Malicious activity

Analysis date:

2021-09-19 19:17:15 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/dc6c3d32-5c6b-488e-ae7e-720d4d059379

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/189149/

Detection(s):

Win.Packed.Razy-9883428-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

Connection attempt

Sending a custom TCP request

Launching a service

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c002169a-765c-4348-a2ee-540bb3c256d9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/853627

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2021-09-19 07:46:00 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

4a6bf1668bd4c6a6c8afbcea62d489853885f492a381d0d49b9e4b96ce2fef34

RedLineStealer

4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156

RedLineStealer

6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935

RedLineStealer

957053c12e4f2b092f77d0e91d4dc2ab0eef26220418ef77bd242141092b31a6

RedLineStealer

c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54

RedLineStealer

e97d796b47d0747cc89a25875eb8a5cb360ce5a7b9b4b0c4b52e86e79dfee463

RedLineStealer

+ 5'925 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/210919-xx8spafagq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/eb2aaf52-bce4-42c1-82af-af86c2e3e466/

SH256 hash:

8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f

MD5 hash:

cf9103c3643f099ff2b4bf9d7258c54f

SHA1 hash:

d9783a2381c3da1cf394844ee35d6662992e0766

Link:

https://www.unpac.me/results/eb2aaf52-bce4-42c1-82af-af86c2e3e466/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189149/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample