MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 908cbdd42aab761a5c94b3ff36baecbec459e7c1864cc0e987820960a3768337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 908cbdd42aab761a5c94b3ff36baecbec459e7c1864cc0e987820960a3768337
SHA3-384 hash: 6976578a47026dc20430bd2e08b83e8f94be5476d8b77811d3159cb30ebeadaa864df37d80121dec0956cfdf39960167
SHA1 hash: 89a1ab62c0deb90c8e5f21be43f8947fbb51d0b1
MD5 hash: d7fe618a5abd530420c1ce652786ca07
humanhash: neptune-harry-hamper-august
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'547'712 bytes
First seen:2022-11-02 14:52:27 UTC
Last seen:2022-11-03 08:25:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7617119cde5afea121182e7cd8e56744 (6 x RedLineStealer)
ssdeep 49152:pQq99W4Uc4pdzdkt9eZykH7fjBZ6/ctmbVQ5cxMWrZ:JDgcUdzIbE9ptmJicxMY
Threatray 15'213 similar samples on MalwareBazaar
TLSH T1C1C52357F2C4CDA2C80E90328C8BE196A7B1F0015F9AA7A7335D131E9FB075A3E17695
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc759438714_648800309?hash=q2HYyMyFCG7MVlRm4kFT6bk9MJ0fzx7LFYdllproDLz&dl=G42TSNBTHA3TCNA:1667400506:7OdlFfqKvl2fdZQG9y06Hix7PCqFFyVzWBxFVUoZGdk&api=1&no_preview=1#xc

Intelligence

File Origin
# of uploads :
347
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-02 15:06:28 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b1aed94e-77e4-4c29-b111-4ca2f63078e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327230/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed setupapi.dll
Link:
https://www.filescan.io/uploads/63628450a5db8d309cbc6112/reports/85393936-95e2-4a32-b04f-b597a342671f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a1c92d65-a366-4a28-83c0-d1ae08a0fb55
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103535
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/908cbdd42aab761a5c94b3ff36baecbec459e7c1864cc0e987820960a3768337/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 14:53:27 UTC
File Type:
PE (Exe)
Extracted files:
110
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scgl3vbkvn3buxeuwp7tnoxmx3cftz6bqzgmb2mhqiewbi3wqm3q._file
Verdict:
malicious
Similar samples:
50c809ce4ba740d1ab00609dd6d2c3e0d5d2cef44d40da4e204ba7296a42d5f1
RedLineStealer
76966d78b26e85420d0e8b8cd5fdd2c8f0458cefd9598a51c267bef889f90216
RedLineStealer
7dff45045b4788b0f836b1f38d625f47de4d93e7f4b293a07079ea3972ff35a0
RedLineStealer
8489216ba6ebef2beae044f188cf01114cc8d91546fe6a00ccb8651558990925
RedLineStealer
921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4
RedLineStealer
c0cbc42be162a27bca2da5896e07a36bd73256f78f368f702ba7c270038f94d3
RedLineStealer
cf184ac744359b2bd92896eaf34e144ee3f5689ed4d73679343709875cfd665a
RedLineStealer
+ 15'203 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/221102-r9atjahfc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1be0d954-d1b3-4987-b5cd-ec097ce94238
Unpacked files
SH256 hash:
9ab89e09b3548df3661fb5049f4861ff64eb6f62473e0b71ea8cf17633851b3f
MD5 hash:
7eeffac3cd1602a120e9f6749e06dec5
SHA1 hash:
d8a4e9986b53928ad083c81929b46b1347013df6
Link:
https://www.unpac.me/results/955bd218-6894-4b85-b061-67633e0f990e/
SH256 hash:
6bee1f0133cafd1828904f4b2f7eff0e2e29ed3d8b00dd1e2733566d216c9217
MD5 hash:
653b62d9683c1ef8be36be601891a322
SHA1 hash:
963dfd9ac1be2fd7bcbee693e55387c23114ed24
Link:
https://www.unpac.me/results/955bd218-6894-4b85-b061-67633e0f990e/
SH256 hash:
8f6cc4784f6419fe86a66cce0420781db1d081b20a2c6a75c5b488d9934087fd
MD5 hash:
e0144e9f38724a4a23ac4d409d73aa5e
SHA1 hash:
ca3cbabe8b51c825681875dcfcd29bafe048f0a0
Link:
https://www.unpac.me/results/955bd218-6894-4b85-b061-67633e0f990e/
SH256 hash:
908cbdd42aab761a5c94b3ff36baecbec459e7c1864cc0e987820960a3768337
MD5 hash:
d7fe618a5abd530420c1ce652786ca07
SHA1 hash:
89a1ab62c0deb90c8e5f21be43f8947fbb51d0b1
Link:
https://www.unpac.me/results/955bd218-6894-4b85-b061-67633e0f990e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/908cbdd42aab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/908cbdd42aab761a5c94b3ff36baecbec459e7c1864cc0e987820960a3768337

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/327230/

Comments