MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4
SHA3-384 hash: 310dc184b6249532901cf4373db7dccd6f19e5c6dd44794352d97ed3f85c20bad6677b9334155c3916e4aa6d7d0983d6
SHA1 hash: 2c92cb361bb15312fee4c9dc3878fd7a3a3c502b
MD5 hash: eb09ced3d4598cc2c956c01279c9f06a
humanhash: nine-nitrogen-alaska-ceiling
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'205'696 bytes
First seen:2022-09-24 13:20:17 UTC
Last seen:2022-09-25 16:24:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cdfba68edbb115e7aa5ed6776bb6546 (29 x RedLineStealer, 1 x MassLogger)
ssdeep 24576:V8Lh7U7SwwjGOtntmIxIeX0PTMa5FtWiuGS2ACK3+MWTFthNN59UQKYZJx5gB+qU:q7S7U3i7zuGrmmTFthHHZJxmlKE
Threatray 14'617 similar samples on MalwareBazaar
TLSH T1D1A533D2C6CB26C4DC1BA93301162DEB064A754BD9A5563C671C9703F1BAA6387F3B22
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e8ce8e0f0fa6f8f8 (2 x RedLineStealer, 1 x Neshta)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc695034993_645997948?hash=b3e6OwFkjdr5o4YGcLxwTskO1KE0UvIx116HJdhqfIz&dl=GY4TKMBTGQ4TSMY:1664023279:nFkK7dlcl9sIRfjuLW7lOztNu4jlLZHQmrcJEy9aVFs&api=1&no_preview=1#crtest

Intelligence

File Origin
# of uploads :
68
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312912/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.7879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Creating a file
Creating a file in the system32 subdirectories
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632f04ba26a88abc7d237633/reports/1a601c9c-006a-4e9e-9350-fcf853b92423/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24ecbefe-e4d7-4c6e-bf67-1dcacb1241a0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076477
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 13:15:30 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sinkpnaman5hkoub4unsh2ngwrddcq5bmc2nvgekoeclcgfmblka._file
Verdict:
malicious
Similar samples:
2d95cfcb96159d3be2fe43034ed9e100a0c38c14802c9718daa04e30199b899a
RedLineStealer
5582e7102f9412f260b4c2033d90ed2e521c862a4c677a2e7178d0a21b4a0275
RedLineStealer
8229d465d2a78b3686a2a0f203f2e400174494feec529068ecd2a5d34eacabb7
RedLineStealer
b4475836595207c786fb1bb658776b19a668e1ff8aff9f688f9fa18c20d93924
RedLineStealer
bef0d9edea1dd55695f0490efa9a9dfaefeff5154dc56f407391781dc7e0ed4c
RedLineStealer
c31382b24d3f3ed0cf2873aeb3bc2510ca7869a1ff64a55b48ccf8a7145b9493
RedLineStealer
d099e42a4c8649fe039ab52c7f479a31e897242f211a0c2e073aeaf12fcd34ee
RedLineStealer
d264b5217f8fa50ddb89b02a6b8b00e17619fd5298318b445bae4e6f6aa92e8d
RedLineStealer
fce6ca7ddeeb6b6ae0f8e0a3f555c0ca8d972686716d6fbfadeae05a403e1317
RedLineStealer
+ 14'607 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/220924-qlmyhsbcf3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e99fd683-215e-41be-98b1-a9ffd99874d5
Unpacked files
SH256 hash:
3b0cf1ed9cd77ec8f9a20312d61ba3e9b9993ae770e0536a5e07e230aa748fcd
MD5 hash:
be95d8712de0e53edcad29d83be0af1d
SHA1 hash:
e25e537108c84022e4ee48428748fad66880ee96
Link:
https://www.unpac.me/results/64ed32f5-37f0-4966-8cad-3d6be2d7de0d/
SH256 hash:
3772a947cbd6f52acb8cfaefb5db7f67212f718ed1ecaa8344aecfd5d4b67657
MD5 hash:
065eb489ca87ff3b9a4874b65b0ab5c7
SHA1 hash:
b264e2b65d2a472302e4b5684a6300034811e9e3
Link:
https://www.unpac.me/results/64ed32f5-37f0-4966-8cad-3d6be2d7de0d/
SH256 hash:
7b573d9e6bba0583cec5e70a58ffdc75f7849de588df7f11d174af7b89735f9e
MD5 hash:
3439b31f24f2f5b1d3c13f778239f89f
SHA1 hash:
985224f0b81961c4f19fc8f69e3140aba28a985c
Link:
https://www.unpac.me/results/64ed32f5-37f0-4966-8cad-3d6be2d7de0d/
SH256 hash:
921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4
MD5 hash:
eb09ced3d4598cc2c956c01279c9f06a
SHA1 hash:
2c92cb361bb15312fee4c9dc3878fd7a3a3c502b
Link:
https://www.unpac.me/results/64ed32f5-37f0-4966-8cad-3d6be2d7de0d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/921aa7b40c03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/921aa7b40c037a753a81e51b23e9a6b4463143a160b4da988a7104b118ac0ad4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/312912/

Comments