MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 902426c4cd2fb4673caaff25004dfdb3d34609e51c458aab621ca655da376728. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	902426c4cd2fb4673caaff25004dfdb3d34609e51c458aab621ca655da376728
SHA3-384 hash:	7ae3539ee64b334b4f24aa3fe1667f41cf62b18b7adc0ef020fc6f645b4ac668cf3289918230a5adf3475aa11ace0207
SHA1 hash:	4a7845d73ecf54f72b27192812f9503676b541f2
MD5 hash:	95d9d9cf49f3e35d4390ca9492e01ba9
humanhash:	island-freddie-alabama-dakota
File name:	95d9d9cf49f3e35d4390ca9492e01ba9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	355'344 bytes
First seen:	2022-09-28 16:20:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1c78583a6c9eb021961962501368272 (1 x RedLineStealer)
ssdeep	6144:eZiMFNtNZnGcxP9A3C187Jd3+2voUdUAOzS4FcEi/5T6z3oapVUPw5c:eZDFNtNZGcxP9A0eUo4FcE85OUapVw
Threatray	7'397 similar samples on MalwareBazaar
TLSH	T11D749DB074C08D33D933163609F85AF9563FBA2107A6D4FF63940A5E4F216D3AA3356A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

http://cheats4.pro/download

Verdict:

Malicious activity

Analysis date:

2022-09-28 01:54:04 UTC

Tags:

trojan rat backdoor dcrat loader redline

Link:

https://app.any.run/tasks/2f229e83-b222-4c04-a490-dd92f8ee9028

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314439/

Detection(s):

Win.Malware.Pwsx-9963812-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/6334746f0d3d21420cc95de9/reports/5db6803d-b17f-44cb-956d-04549e912aea/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21e51d85-c5d3-4267-8d12-2e1b9b35a9d2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1079400

Signature

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/902426c4cd2fb4673caaff25004dfdb3d34609e51c458aab621ca655da376728/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2022-09-27 22:56:45 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sascnrgnf62gopfk74sqatp5wpjumcpfdrcyvk3cdstflwrxm4ua._file

Verdict:

malicious

RedLineStealer

2986955a86572ace49ad3773a3e1ddb742ade6a5d0b09e9f4597bba2477a1465

RedLineStealer

3bd622b55a64a74a2452fc882cd26f3adef86400b4d4000aed0791682dd43a25

RedLineStealer

44c6ed2ddb5e2077c153de0a299dcbff82ba1d2a9f304c0e4fed47496ba82af7

RedLineStealer

7c66ee2f98f5049a75e4eb682f5b635c56449b9c6bf5b06f51570698059e91cf

RedLineStealer

c89db6a3fbb0eae125de7f6044fed2c1744eac06660cb04228e0e69f52cefefe

RedLineStealer

ddd8aa44e44b27ae1604042ccd9564ab5bc44d72b680293856057995f154cbc9

RedLineStealer

+ 7'387 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220928-ttm52ahfcr/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fdc6e769-48cd-48f3-a421-cb3fc2d728f6

Unpacked files

SH256 hash:

902426c4cd2fb4673caaff25004dfdb3d34609e51c458aab621ca655da376728

MD5 hash:

95d9d9cf49f3e35d4390ca9492e01ba9

SHA1 hash:

4a7845d73ecf54f72b27192812f9503676b541f2

Link:

https://www.unpac.me/results/5aeb8597-69fb-4ee0-91f6-7b2added2b26/

Malware family:

RedLine.D

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/902426c4cd2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/902426c4cd2fb4673caaff25004dfdb3d34609e51c458aab621ca655da376728

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314439/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample