MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29
SHA3-384 hash: cbfcfe6480569428c6a077b62af81c8dc4db02bbe6d6ddce725410d0e04a9ff66a5a461007746d4820c79e3a7c5ca336
SHA1 hash: 84b2ab06cb8f9406627631f45c72aeee2aee7438
MD5 hash: 0942169ec2e65609b4289811c232928b
humanhash: wisconsin-carpet-william-oranges
File name:0942169ec2e65609b4289811c232928b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'333'312 bytes
First seen:2023-07-19 13:10:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:c2RZ75ZrpcMkrpPRc7r6yJYSzZOhR69lg:c2LvrmM+O3hJYSlD9q
Threatray 13 similar samples on MalwareBazaar
TLSH T1B1F55AE1B640F000F7569D37B08A0991D9613CE3BB62FDF67E57B7682738AE40648693
TrID 53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4e4e0e4e4e4e4e4 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:HUAWEI MatePad SE (AGS5-L09) 4/64Gb LTE Black
Issuer:HUAWEI MatePad SE (AGS5-L09) 4/64Gb LTE Black
Algorithm:sha1WithRSAEncryption
Valid from:2023-07-18T10:19:37Z
Valid to:2033-07-19T10:19:37Z
Serial number: 63929a64c37f49b74517c54b8e4ebbbd
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: fbfd557f317ab0dbd44e931466f07a645db7ce5cd4670be49f750b3ae95b7480
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0942169ec2e65609b4289811c232928b
Verdict:
Malicious activity
Analysis date:
2023-07-19 13:13:17 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/819669b6-dfb3-4e61-8d8b-d79e3aa03963

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424951/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.12807.10384.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware hacktool lolbin msbuild obfuscated overlay packed replace
Link:
https://www.filescan.io/uploads/64b7e0e8f52c3e1a014a75e9/reports/6b71b831-31a8-46a3-9be0-a2970a65f579/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cfbf2cb-446e-45b7-9740-289b9a8a4e68
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1275985
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275985 Sample: uiAA843mxy.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 60 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Machine Learning detection for sample 2->23 6 uiAA843mxy.exe 1 2->6         started        process3 file4 17 C:\Users\user\AppData\...\uiAA843mxy.exe.log, ASCII 6->17 dropped 9 MSBuild.exe 6->9         started        11 MSBuild.exe 6->11         started        13 MSBuild.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 08:31:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
72
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=syy6msjtfr3jswyonb743gjidsonzb2qrpk5b3d2uq6curkpjuuq._file
Verdict:
malicious
Similar samples:
1ee69c42df83049fca14e2560bacb7fef8e412f7da3cf2215c83e668b5673c4d
RedLineStealer
35bec8209ce812572a8ca75f137e8c2b6c1271fea7c96a72a4e08087b640fa0c
RedLineStealer
50fa028368e760bc85d0216e2ad6f80446fe8698804d8d3cfadbf83481ba68e2
RedLineStealer
6a4e611067897fb1deef968b156672bfb0bb4098c9bcc65d1fbbd7cf24a656ad
RedLineStealer
909e6a3a60bc50f1633f1252c42b41eb640828cd7c9bccc1eef7750bbff427a6
RedLineStealer
b1838dc1e966a360289a58a00daee92fcf223d430d9bb4771d457b8739c8179e
RedLineStealer
cf9944b351eda2da99e91c10fbad5ce3d12f95c69650ebf893d64ff646b1114e
RedLineStealer
e30fb0167cff4b0cc4cbc651e4c833459e94a603b8b9a33d449986ca641f7ce8
RedLineStealer
f7af421884d41f4153ff5e47dd43c0f65c1e9f04738fc47fc92d2bbbf82a621c
RedLineStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/230719-qext5sgd5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Unpacked files
SH256 hash:
d315f064a4ec5fad0e4fb060749060bbc83f08555cfa791adff31be8104781c0
MD5 hash:
0498b5e2addbfce8b809f9d1bb05893d
SHA1 hash:
94864ba59e3b6213c919a11d178c2d3216e7eec7
Link:
https://www.unpac.me/results/a9cc3a7b-0db4-4071-8739-53109f613aef/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/a9cc3a7b-0db4-4071-8739-53109f613aef/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
d61dc884167e95d6b85a7aaccd149b7754ee8112b5d875452e680ea525a14e0e
MD5 hash:
312a4f41fcf54690b7cfb8dea5bd7d20
SHA1 hash:
32c18b8a6a0dca71e685615ad0cad437c9c76397
Link:
https://www.unpac.me/results/a9cc3a7b-0db4-4071-8739-53109f613aef/
SH256 hash:
9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29
MD5 hash:
0942169ec2e65609b4289811c232928b
SHA1 hash:
84b2ab06cb8f9406627631f45c72aeee2aee7438
Link:
https://www.unpac.me/results/a9cc3a7b-0db4-4071-8739-53109f613aef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9631e649332c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9631e649332c76995b0e687fcd99281c9cdc87508bd5d0ec7aa43c2a454f4d29

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2685795/
Cape
Cape
https://www.capesandbox.com/analysis/424951/

Comments


Avatar
zbet commented on 2023-07-19 13:10:59 UTC

url : hxxp://disgen.in/1/data64_1.exe