MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4
SHA3-384 hash:	5c836b9bf545b81ffb28f683d473a9ad63d77f95c456fafcc7087cdf15d7d0b7dc84b26ff34e5dd88a9d3cb224b5b376
SHA1 hash:	b6f9a62628b856aa706efab5ea134ddbee64e1dd
MD5 hash:	12263661b10a295be32761bbd42d8bf9
humanhash:	mobile-nevada-william-violet
File name:	9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	286'720 bytes
First seen:	2021-11-19 08:42:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	702a7c8c628781977ea801fc66976f12 (3 x RedLineStealer, 2 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	6144:jpgNYpBdVYDDXSprdYy0zR2VQB/2yz1j75Y1Lu/:jpgapBdYDiphszIQB/2yzVlY9u
Threatray	3'765 similar samples on MalwareBazaar
TLSH	T13B54F1017BF3883DE9A7CA34247546A14B337D726A74C14E3724163E8E722D19AB3B63
File icon (PE):
dhash icon	fcfc94d4d4d4d8c0 (24 x RaccoonStealer, 21 x RedLineStealer, 9 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.216.168.100:38784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.216.168.100:38784	https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784.exe

Verdict:

Malicious activity

Analysis date:

2021-11-19 08:59:35 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0b6cf865-91a4-44b7-9957-fae3f426bf07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Packed.Generic-9908949-0

Win.Dropper.Fragtor-9909325-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6197636043e8f62b669a1c30/reports/a8937326-50cd-4021-9737-a243685f527b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c928c74e-24fe-4448-8f61-7962443cc17e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/892524

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-19 08:42:07 UTC

AV detection:

24 of 44 (54.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=susn3ihx5d5kmld2gwus3e26wcswq5sz7z4ezxoxibw732eqgssa._file

Verdict:

malicious

RedLineStealer

136b09653c55e04d3c4162c116bebb52dc337d62cdd69e2f0977fbc17e69dfd0

RedLineStealer

32a870968707205b82b21b74b8e7e295221dd3ef81a6ee67cab7cf5628c89f2d

RedLineStealer

537b0c489b9e35fc06423d79171392e07d1147f9992d9219bd6ba597f438d6c0

RedLineStealer

6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe

RedLineStealer

ed786315c90cafc4e4b6fe237cebec8a8bd038b6203da8477d19ec8bbb9a09e4

RedLineStealer

f14f18ed96467a5005fd9bc67ff6b4a2c253a2438461880fff9d5cee2a26959d

RedLineStealer

+ 3'755 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1811 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211119-kl2h1shger/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.216.168.100:38784

Unpacked files

SH256 hash:

32b581b32370d39e23c3ef09ee343ef0dd3c5b2a5a852da36d0ac5d4a943225c

MD5 hash:

230c4cbe02163550b3f7b0cf55697860

SHA1 hash:

9a14616eb3c594456c48bb19818f04c2f2ec4d2c

Link:

https://www.unpac.me/results/679e77fa-9cd1-47c5-ad13-c843fced0570/

SH256 hash:

6198042db49e0403f6c5dd514a596e186cd9780c35e80294bc727b509bf3f3d1

MD5 hash:

102658510d05e463f0afa0ecd5f3c8b5

SHA1 hash:

31b925feff6274124d2eb1ce5605d1ec321db045

Link:

https://www.unpac.me/results/679e77fa-9cd1-47c5-ad13-c843fced0570/

SH256 hash:

e018fa29d90b5a715e7a955653f100f7afbdcb769eb9b9b0c0edae7b3918c18e

MD5 hash:

e87a3962ebb62e016297a657ee915839

SHA1 hash:

2503638b069da53f45f5b9fcda325ee55a2b2406

Link:

https://www.unpac.me/results/679e77fa-9cd1-47c5-ad13-c843fced0570/

SH256 hash:

9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4

MD5 hash:

12263661b10a295be32761bbd42d8bf9

SHA1 hash:

b6f9a62628b856aa706efab5ea134ddbee64e1dd

Link:

https://www.unpac.me/results/679e77fa-9cd1-47c5-ad13-c843fced0570/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9524dda0f7e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9524dda0f7e8faa62c7a35a92d935eb0a5687659fe784cddd7406dfde89034a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207562/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample