MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e
SHA3-384 hash:	9e686518d6f620e53b8d2ab50d0367369965129d4f67b62f5d0581fedeff63b29d74dce2b23cf4f48ea82c2296add08c
SHA1 hash:	1853ac32fd681aca66a98d5d61695c641dd3af3b
MD5 hash:	62e047f1ad596202189a86ed644715a9
humanhash:	march-stairway-carbon-solar
File name:	image_16641jpg.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	287'744 bytes
First seen:	2021-10-17 09:24:26 UTC
Last seen:	2021-10-17 10:19:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:FrQMa4awdoLuKU5ND+qir16Y6P7o+LiHr:mFBLKr+12
Threatray	91 similar samples on MalwareBazaar
TLSH	T1B1549A625C541E10F3D049B745A08CE587B9AFDFD84EBB0E5AE3BAAA907F4CD137110A
File icon (PE):
dhash icon	156d6507070d154d (1 x RedLineStealer)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

555

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197965/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.31114.9158.8538.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mokes obfuscated packed

Link:

https://www.filescan.io/uploads/616bebf1db358dd15ebde46e/reports/6b79b90e-a695-42ae-a510-2d9e51cf529f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/050aff2e-3902-4021-8118-140d74c7c420

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/871782

Signature

.NET source code contains potential unpacker

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e/

Threat name:

ByteCode-MSIL.Backdoor.Mokes

Status:

Malicious

First seen:

2021-10-17 01:18:00 UTC

AV detection:

13 of 27 (48.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=su2gipzy5hkhyb5tecl2sujvdufsjwuwsj5v3shz5bhjzm3rsfpa._file

Verdict:

malicious

RedLineStealer

1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba

RedLineStealer

2d94674cf3ddc45854de41ae7793f56a7053c10047f4503ce385a3bdbb737894

RedLineStealer

6c0a4f788136a3d56f31efaa5c0cf49b5769dced978a8ed0e45dc64ba766cadf

RedLineStealer

800346e0531230e0cde13dad6e6795fbf298fdc95c97481f6c28c4a1043227ce

RedLineStealer

b19eaf0721dd26a606c22a8e988f7a0c36a52587214169a3e59ad61e2fecb267

RedLineStealer

da184b3620bfaede69d888624cc3971efd9a72c58941a358d58f63e8d7eeffef

RedLineStealer

f880f1bdad4b6022e1ec7de81fdd9276f023dee04c56068698e88db70038886a

RedLineStealer

+ 81 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211017-ldl9ssdchq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Downloads MZ/PE file

RedLine

RedLine Payload

Unpacked files

SH256 hash:

9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e

MD5 hash:

62e047f1ad596202189a86ed644715a9

SHA1 hash:

1853ac32fd681aca66a98d5d61695c641dd3af3b

Link:

https://www.unpac.me/results/4cf59cf0-252c-4ca3-bb39-7975b6ea9dcd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9534643f38e9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample