MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af
SHA3-384 hash: 9ce227711d062e5482b173e311b4ef3b28243b15b94a24bc274760cc643052d777f0b21ab3d33003e4dbacf3c5d9effb
SHA1 hash: b1548b1d952719823406b6da8c5b8411e1c9651a
MD5 hash: efbdabf385c389aa1a08777fd1bc71d8
humanhash: red-glucose-november-blue
File name:efbdabf385c389aa1a08777fd1bc71d8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'953'264 bytes
First seen:2021-09-24 20:36:03 UTC
Last seen:2021-09-24 22:01:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:l8ebUU1y7zSUAhqsHqx0pJSYCvewySOyGznqUqAQWDcT:l8ebUU1y7zSUAhqL0OYFwPO5nqUq6q
Threatray 240 similar samples on MalwareBazaar
TLSH T16C955261F20C69F3F69C7A79C3AB542003966CE65A61C34DFE5E23C968E09864DCB707
File icon (PE):PE icon
dhash icon 503878f2c2e8f000 (3 x RedLineStealer, 1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.4.54:11645 https://threatfox.abuse.ch/ioc/226449/

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efbdabf385c389aa1a08777fd1bc71d8
Verdict:
Malicious activity
Analysis date:
2021-09-24 20:36:43 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/082d22d9-0e5f-48a9-9e41-b5ade1414bb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191279/
Detection(s):
SecuriteInfo.com.ArtemisEFBDABF385C3.16766.23006.UNOFFICIAL
Create hunting rule

Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0af3093-2311-4140-8779-4a2677a9e0c1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857644
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af/
Threat name:
ByteCode-MSIL.Trojan.DarkStealerLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 15:50:59 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szslujaqp2osp7mt7llstpaytj6ccojdcvb2ujbryf43ixhwecxq._file
Verdict:
malicious
Similar samples:
0ea9a18d16f9be86d0f0b8b1da9250584cd4cf0aa83ba0ef57771010d3f80f27
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27
RedLineStealer
8d54f39dca652351657082145dcf19755740f1d807204a28345c8660c74546e2
RedLineStealer
8e1744ef99e2d9e8aa9447dd7495ea10c66c50d03125eda0574c1e29c71237ff
RedLineStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
RedLineStealer
9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a
RedLineStealer
b948568e3dd6b10e2497a62c0d86a8ffa061cb8c1789e1b76d3b4ffde3dc64fd
RedLineStealer
e6caab24402f364bef57cd70a56650b7d657d3098e63361de7ddef5539199a66
RedLineStealer
+ 230 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210924-zdlj6ahhen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.108.4.54:11645
Unpacked files
SH256 hash:
de13759e2b8478fee5c2732b3d92fbbe53287d2fed220df604721898a54ed133
MD5 hash:
d7e4dfa16ccea5ca3857e3de73fc3465
SHA1 hash:
7bb5acaebdcd1eea37f5876ba6cc21bc96aabd35
Link:
https://www.unpac.me/results/cf2f1493-3d28-4103-8212-a21df9ab883e/
SH256 hash:
511910c6b870f95d5b3d43d77358f00183b66b114151da5d1f386731700d5272
MD5 hash:
56adf6c85df84c78ff9753da75b7be5f
SHA1 hash:
6f0b058d6243981b597acf03cc6d623ee9ad8d7a
Link:
https://www.unpac.me/results/cf2f1493-3d28-4103-8212-a21df9ab883e/
SH256 hash:
e45246c5f8b4bc39c687e84062044203ea0fe4c128dd5ea487572b534b204006
MD5 hash:
7e328a116ef14f761f2b5f542ecccb45
SHA1 hash:
4f68fa36e7de09db681325588c7cab43e5b53411
Link:
https://www.unpac.me/results/cf2f1493-3d28-4103-8212-a21df9ab883e/
SH256 hash:
efd2f7657839b252c2fb8489c1ccf610b8e57b471efe049de86a74bc1506775d
MD5 hash:
c3f3e4a9e9ab54bf847a9fc02e7a2160
SHA1 hash:
0853bec33e36ede763927cda0f03129ca763bc07
Link:
https://www.unpac.me/results/cf2f1493-3d28-4103-8212-a21df9ab883e/
SH256 hash:
9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af
MD5 hash:
efbdabf385c389aa1a08777fd1bc71d8
SHA1 hash:
b1548b1d952719823406b6da8c5b8411e1c9651a
Link:
https://www.unpac.me/results/cf2f1493-3d28-4103-8212-a21df9ab883e/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9664ba24107e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9664ba24107e9d27fd93fad729bc189a7c2139231543aa2431c179b45cf620af

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1642815/
Cape
Cape
https://www.capesandbox.com/analysis/191279/

Comments


Avatar
zbet commented on 2021-09-24 20:36:04 UTC

url : hxxp://2.56.59.42/WW/file4.exe