MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021
SHA3-384 hash:	f9868c1857b5a29319000fba0e0b7b65f6b3743209993ccd96b86aff07c4b6a634945857cb5893b58af4fee64da82637
SHA1 hash:	2b28e907966faf464f986799760c090936654fc6
MD5 hash:	bfd6a4714cd64d594e46481b1e205a94
humanhash:	kansas-october-tango-one
File name:	bfd6a4714cd64d594e46481b1e205a94.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	256'840 bytes
First seen:	2023-12-16 17:10:14 UTC
Last seen:	2023-12-16 18:30:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	59737f231ef329f299654331c80b5130 (5 x RedLineStealer, 3 x LummaStealer)
ssdeep	3072:+/0YXFZd045KytF3QencbB/Y/F1tH/qJ9Qv87Y5kOY7c:+/xVH047FAencbB/Y/F154Wv87Yem
TLSH	T1C6448DF66811F437E9C150F65439B2E3376C270F27E1C76B0AAC8524BFB5361942A6E8
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.164.17.248:25647

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468060/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.34781.25205.5936.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed redline

Link:

https://www.filescan.io/uploads/657dda27b4e856b7281c2a4d/reports/4c21cb23-3d76-4cb0-9944-27d902f58c66/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/353a8227-4451-4b3a-b1ca-90e34d146a39

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1363446

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2023-12-13 13:38:47 UTC

File Type:

PE (Exe)

AV detection:

26 of 37 (70.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sycpvhn37pjqsg6rni3bg7eh37d3ib5rmzfcmftra4ayg6ulqaqq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/231216-vp9c5sdfe5/

Unpacked files

SH256 hash:

9f450055313238d9eee09f03a85c296fccc75d6f3f891ddb4fc8d6fa2db47c60

MD5 hash:

9d01d266b4711f2e0de7fe2000cb7326

SHA1 hash:

79ab9de6b52ff9136a53e3c06dfc938601793633

Detections:

redline

Link:

https://www.unpac.me/results/f57a062b-b174-4d45-8c47-8e6ec50f3802/

SH256 hash:

9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021

MD5 hash:

bfd6a4714cd64d594e46481b1e205a94

SHA1 hash:

2b28e907966faf464f986799760c090936654fc6

Link:

https://www.unpac.me/results/f57a062b-b174-4d45-8c47-8e6ec50f3802/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9604fa9dbbfb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468060/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample