MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa0934b733b0208458cfa6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa0934b733b0208458cfa6f
SHA3-384 hash:	bb5784bba8fc6f4818d23ea34448462d68683f89f3ac090be945b17fd7a94d10904a381320ae68fa1228fd7065ac6ab5
SHA1 hash:	69e9cd85861a4d57652d52721536eb65f6cbf215
MD5 hash:	a517c307af008fca4fcd6caff59aa809
humanhash:	batman-happy-five-california
File name:	9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa09.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	289'792 bytes
First seen:	2021-09-29 12:06:19 UTC
Last seen:	2021-09-29 13:11:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f249badb491e7862c803d80af2d74342 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x Formbook)
ssdeep	6144:d1b0y38YMfytbTS/7VcgUMzHLcPI1ouSzy:713vMKlTU84YI1Uy
Threatray	2'423 similar samples on MalwareBazaar
TLSH	T12854D010E540C3EAC306067EA865CBDCD92DB94DFBF06A363B9426CF6E791A37121352
File icon (PE):
dhash icon	4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
65.108.1.219:28593

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.1.219:28593	https://threatfox.abuse.ch/ioc/227532/

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa09.exe

Verdict:

Malicious activity

Analysis date:

2021-09-29 19:48:46 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/b53f0ff4-c1cc-4b31-a256-c4fe973c714c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/193131/

Detection(s):

SecuriteInfo.com.Packed-GDTA517C307AF00.5540.710.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72bab715-6f9d-4f76-a4f9-7ab4b7ff6085

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/861431

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa0934b733b0208458cfa6f/

Threat name:

Win32.Trojan.MintTitirez

Status:

Malicious

First seen:

2021-09-29 11:55:17 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sni3hu5fw6acec3h6bwhzony2snjkbk7nkqjgs3thmbaqrmm7jxq._file

Verdict:

malicious

RedLineStealer

401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766

RedLineStealer

4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

RedLineStealer

9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467

RedLineStealer

9b9b66a158beacb1a23877ab25c70435a43f072f76a0ba35fed9ad32f781d04c

RedLineStealer

9c57d0fc5a49debe9dbb49bfebe011bcf249542f6bbd4eefd41c75c3b5ff7d51

RedLineStealer

a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b

RedLineStealer

ac098ff6d0aab414dad2bce4a4a21ade100a6d4921bf90c7890409b8d37dea05

RedLineStealer

c033668e5a3c82e261b344df51117a1acca8a6eda9668c4fd854d5af8e6681a1

RedLineStealer

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

RedLineStealer

+ 2'413 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:aboba discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210929-paay5sfaaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.108.1.219:28593

Unpacked files

SH256 hash:

0a7f6ce70923db73b2e62231d9b251b9f97870f08aff623c6bb0fbfba390ce49

MD5 hash:

139cc9a35b5f00a94f2cf97664c6c233

SHA1 hash:

b943d8562d9aa2643b5d95ffac132300655ee03f

Link:

https://www.unpac.me/results/8a8f20ad-340f-42b3-806c-0e3bca6d3bd7/

SH256 hash:

2c2943c94968554ae9e99f63ddc5b3ee5c28925cb377666cce78ce5514f1d418

MD5 hash:

3c9d0b88605ce327cc5970a6e25dd204

SHA1 hash:

a0ed7f7632c71a918e4bc9b5bb971069d0bbcdf2

Link:

https://www.unpac.me/results/8a8f20ad-340f-42b3-806c-0e3bca6d3bd7/

SH256 hash:

5022265c1508716105ce6bcdfa73091752a4ef8d3894cbb2a314950b57a43f58

MD5 hash:

619c835f77babddfc1987c281e291cb9

SHA1 hash:

822eb7969375cc9334e5339f1c506bdcbab7ff71

Link:

https://www.unpac.me/results/8a8f20ad-340f-42b3-806c-0e3bca6d3bd7/

SH256 hash:

9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa0934b733b0208458cfa6f

MD5 hash:

a517c307af008fca4fcd6caff59aa809

SHA1 hash:

69e9cd85861a4d57652d52721536eb65f6cbf215

Link:

https://www.unpac.me/results/8a8f20ad-340f-42b3-806c-0e3bca6d3bd7/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9351b3d3a5b7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9351b3d3a5b780220b67f06c7cb9b8d49a95055f6aa0934b733b0208458cfa6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193131/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample