MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712
SHA3-384 hash:	9365423c44475f6631ab78bd281ad1f55203049942ec5e64080d748d610bb433ae30890c3a82b52ee20a010082a515b5
SHA1 hash:	549ac16c99eb9c80e4021ae2b904906b0720063e
MD5 hash:	14a305b37dc32c6e0b45879ded0d534e
humanhash:	carpet-cold-king-table
File name:	14a305b37dc32c6e0b45879ded0d534e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	413'056 bytes
First seen:	2022-03-03 02:20:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eabb194c814da30562c2ce7e427fcafb (2 x RedLineStealer, 1 x Tofsee)
ssdeep	6144:lfrDjdErf1DUMs0Ut1yWajrY5sSr2fKjoq/Uk0cn4/A7ITsq7eX:lTDirdD3s0VTC2SjdN4I71X
Threatray	4'644 similar samples on MalwareBazaar
TLSH	T1D89402D17950C032C6827834D466FFA0AF7DA9B4DAA05D0F37B425BE6E343E2636D14A
File icon (PE):
dhash icon	c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	AMCERT,LLC
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2021-11-30T00:00:00Z
Valid to:	2022-11-30T23:59:59Z
Serial number:	5ef27fc51ee80b30430947c9967db440
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	c2dcc4a1ea16e45f86828e81eda20f83e70cbf77e152ddd80b1b4a730ef77551
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
111.90.159.155:40622

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
111.90.159.155:40622	https://threatfox.abuse.ch/ioc/392248/

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246640/

Detection(s):

Win.Packed.Generickdz-9879553-0

Win.Packed.Bulz-9892763-0

Win.Malware.Filerepmalware-9940328-0

Win.Packed.Generic-9940373-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7946/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hlux mokes overlay packed

Link:

https://www.filescan.io/uploads/62202611b94fb38cb43e0c35/reports/72f8f44c-926a-4628-bd78-85ea7b1a94eb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/316eff1b-d6c7-4c41-91ee-d26a04a8890d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949623

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-27 18:44:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 43 (74.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=snsakopjzbbiuwvkxydp5wxwwmvkum6aefdxie53jkdpstpo44ja._file

Verdict:

malicious

RedLineStealer

2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5

RedLineStealer

9f157ceaee5858d2f77f1f828d9dc8417c7c99a65b4412896ac0231416336393

RedLineStealer

b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c

RedLineStealer

ba195a9f090cb803df55df40d839f95e335234a13d3207f65efa46c3d0f837d0

RedLineStealer

+ 4'634 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:226 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220303-cs1ajaafhl/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

111.90.159.155:40622

Unpacked files

SH256 hash:

145eeb344e5429e96024cd5e9b562aeb67cf16261214b063ae2b53a0be64da4e

MD5 hash:

98a08c669bf54aecfc4e0b1ea654760c

SHA1 hash:

dd3084b31a55c6b5f6f7b8d09fa8044685d2b4e3

Link:

https://www.unpac.me/results/517a0507-0630-4d0f-bedc-ed84a154ea79/

SH256 hash:

086f7b30d90f16c148ff52ecec26a8629b9509be0878a445973a6481aaf00450

MD5 hash:

be8a7f4cce83e59757f4bc6e8ea14dfd

SHA1 hash:

d89e6962ca7f57f4c389257ef3ae3511dcda2649

Link:

https://www.unpac.me/results/517a0507-0630-4d0f-bedc-ed84a154ea79/

SH256 hash:

42a3e215b16219805c8c32d82cde96fc4d20233a06d0f144c08d9e51b8fa9080

MD5 hash:

8669c8fecebf1111df74739dd8c02032

SHA1 hash:

9c6a90d504263363634a6c199fd6f03072668f3c

Link:

https://www.unpac.me/results/517a0507-0630-4d0f-bedc-ed84a154ea79/

SH256 hash:

93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712

MD5 hash:

14a305b37dc32c6e0b45879ded0d534e

SHA1 hash:

549ac16c99eb9c80e4021ae2b904906b0720063e

Link:

https://www.unpac.me/results/517a0507-0630-4d0f-bedc-ed84a154ea79/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.27

Link:

https://yomi.yoroi.company/submissions/93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/246640/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample