MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c
SHA3-384 hash:	c82bd1c84a9a3a69e0095f6a042ba3aa0ef7033522502a88ea29de2c6d76ccd6c9b039d9afbe93e7c13489b8d69e618a
SHA1 hash:	b339decb0fd779a0a7c192d321aec1017808e28e
MD5 hash:	d46c47543ab771c8d6bd2d7c9ba853a3
humanhash:	mango-foxtrot-kitten-yankee
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	324'608 bytes
First seen:	2022-11-24 16:30:59 UTC
Last seen:	2022-11-24 17:32:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6c40b34072a066ed2f848eec02bfbd5f (3 x Amadey, 2 x GCleaner, 2 x Smoke Loader)
ssdeep	6144:3D8VwwJLvjFAFoqe6jv3gB5HFV7n6kSw8rZuge6Bhk4GuRfk:3D8V7XFAFa6jvQBlnxFnl6Tllk
Threatray	10'575 similar samples on MalwareBazaar
TLSH	T16A64F12176C0D072C98F55704C149E689BBEB971AA746943BFD4177EAF203E1A736383
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	25ac137039939b91 (15 x Smoke Loader, 12 x Amadey, 6 x RedLineStealer)
Reporter	jstrosch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

829

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-24 16:32:05 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/56aefcd2-0e29-4bf6-ba0a-84ce4f2ee234

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/338131/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.13311.27554.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/637f9c46559d07a06f473ce8/reports/a8bcd73a-3605-4f04-a8c8-a4c7b352a736/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/42b35412-fbf2-4ae7-916b-7a86f91cb929

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120649

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-11-24 15:29:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=syl5j3x4fqlp65mh26ufyh2s2iyfhybgglu47qt6bjplqreg6boa._file

Verdict:

malicious

RedLineStealer

1193fb4fa844426c76ab4d206eff0daa52e04de6b8dae1e79504af205e273a11

RedLineStealer

3bc6b1cce521ab15adf5c30d624c6a4b77da480abd5a5828e10de6927bceedf1

RedLineStealer

3c5e247cb1e9728d3243c7eb4f814a1d42d35041a00802d50afe80a0da36b3a7

RedLineStealer

adea78b4c7b6b76b80e581b55f082cc6df741b0e450706d3e10922589a604d7e

RedLineStealer

c1f0a0c570f05ded30dbc78c7bfb4228a5dd97f89582c10bb58ac7478e47030c

RedLineStealer

f29190f00b2eb1f1452fb444e4668e8eeb23a7f29b97d3824e9ed688e8c8135f

RedLineStealer

+ 10'565 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:testing.v1 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221124-t1cymsfc94/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.106.92.111:2510

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8cf3e67a-6102-433c-9560-ad4dc2627c10

Unpacked files

SH256 hash:

02cab44045fbdb9fea168bfd610f3ce8a9fed85cac68be43ebf56add02b7b386

MD5 hash:

f26eb1bb41e233fbd94a159a2b9b72ca

SHA1 hash:

917bca7fe78a2726f86bb7da55b913cde2b678ce

Detections:

redline

Link:

https://www.unpac.me/results/8315b2d5-9824-44ef-a02b-126ede3abd40/

Parent samples :

47999c394312e7f04a093b746bf4ff411f20094aa46fd11be5fe767e3c6c4d9c
9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c

SH256 hash:

320cbb74eeeab9b7d05ff7a16ab7e22cf2f52af18e5af02458aeab3d06ffdc41

MD5 hash:

e47100a4b15afd03504ab350a4fb2293

SHA1 hash:

51f36153f7ba5f115b663902dac27eff87d8c58a

Detections:

redline

Link:

https://www.unpac.me/results/8315b2d5-9824-44ef-a02b-126ede3abd40/

Parent samples :

47999c394312e7f04a093b746bf4ff411f20094aa46fd11be5fe767e3c6c4d9c
9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c

SH256 hash:

f51ae0f72757d15b725297f6d88249ae5d94bedc74fe6e123043afe7564e414a

MD5 hash:

5e2cdc24d98dac0f1a93ca5966d5b193

SHA1 hash:

3542bbe6cb01888f015a827d55974e0777231bc4

Link:

https://www.unpac.me/results/8315b2d5-9824-44ef-a02b-126ede3abd40/

SH256 hash:

9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c

MD5 hash:

d46c47543ab771c8d6bd2d7c9ba853a3

SHA1 hash:

b339decb0fd779a0a7c192d321aec1017808e28e

Link:

https://www.unpac.me/results/8315b2d5-9824-44ef-a02b-126ede3abd40/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9617d4eefc2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9617d4eefc2c16ff7587d7a85c1f52d23053e02632e9cfc27e0a5eb84486f05c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.