MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9671dbba989625fb7bd1c0e0fb5c08eed3450152a963fab90ddd01c920a296e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	9671dbba989625fb7bd1c0e0fb5c08eed3450152a963fab90ddd01c920a296e8
SHA3-384 hash:	6a600a49bb45a1e2934e390d2bdc753be05638f86d52c17365f0a6b000d3f20b8ef13f3fafd36d9c35dd1ca7b565cc0e
SHA1 hash:	68c0d27dfd802fecc1baddc6ec3618edbf7879d6
MD5 hash:	482eee34ce40d463a3d77c17865238aa
humanhash:	green-snake-four-two
File name:	482eee34ce40d463a3d77c17865238aa.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	343'552 bytes
First seen:	2022-07-11 14:27:55 UTC
Last seen:	2022-07-14 05:10:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9813e10a0f48d1be76e94c0636ba796a (11 x RedLineStealer, 2 x Smoke Loader)
ssdeep	6144:aKPy6zvcV1XvqwWYBssrtDXYvMUqdw9V2wkiga:aKPvjcHvNW89tDIvGw9Vd
Threatray	4'983 similar samples on MalwareBazaar
TLSH	T1C374E002B2E2CB32D1A30D30587196A5217F7C236A34649BF71FBB2F6E703915AB5352
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

482eee34ce40d463a3d77c17865238aa.exe

Verdict:

Malicious activity

Analysis date:

2022-07-11 16:15:46 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/cfef260b-816a-40d2-97c8-5580215479c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/286306/

Detection(s):

Win.Packed.Fugrafa-9955718-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/25107/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62cc33c87d5b150059f41553/reports/13e7652c-5d3c-4e36-acc2-4bb4a159dcf8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a72b2ac9-c24c-4d65-b1bc-72d87e54a38f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1028713

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9671dbba989625fb7bd1c0e0fb5c08eed3450152a963fab90ddd01c920a296e8/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-07-11 03:47:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=szy5xouysys7w66rydqpwxai53jukaksvfr7voin3ua4sifcs3ua._file

Verdict:

malicious

RedLineStealer

8a0241fb0a7b532549280c4e8e3b0a41b10ed54130c3210669ae0319b37f1547

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6

RedLineStealer

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

RedLineStealer

c247a5f323cd82c55da02753f02bfe2fe3d29140d4e00d75c7b0bddd673bcc5c

RedLineStealer

cba81435e728ba68e4006ff7fc5b044d794495db56099cd0741170ee248250f3

RedLineStealer

e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061

RedLineStealer

+ 4'973 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:cryptobiz discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220711-rszrbshhdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.150.103.38:5473

Unpacked files

SH256 hash:

d6642d79fe63b7fdcf1b55785f41912014c194098fc8d6dde8df366a85ad3424

MD5 hash:

2a05868bb65dcbbf1f5d46da09e0617a

SHA1 hash:

c8da9b69f7ecc1552905559192efe2157f203432

Link:

https://www.unpac.me/results/913bcc54-80b7-4fda-922e-9b4d736f9780/

SH256 hash:

d48f3e50d155e4beb127b3bf790affca76c80ab8aed74dcdb1637715d6b99dc7

MD5 hash:

6cff38fd33744aeefdd8e94352738175

SHA1 hash:

4b2d03234f2cfa46e253763c29ec6c5a84653c9a

Link:

https://www.unpac.me/results/913bcc54-80b7-4fda-922e-9b4d736f9780/

SH256 hash:

42f71d5820c67f934434a1037d7d0f479f3b632df45b0b428be409be5f3c5e01

MD5 hash:

77bfcffebae1c1846c51f350ab0a713d

SHA1 hash:

268e6f1bb91c52790eafa70bd89fc35c1b1a4f4a

Link:

https://www.unpac.me/results/913bcc54-80b7-4fda-922e-9b4d736f9780/

SH256 hash:

9671dbba989625fb7bd1c0e0fb5c08eed3450152a963fab90ddd01c920a296e8

MD5 hash:

482eee34ce40d463a3d77c17865238aa

SHA1 hash:

68c0d27dfd802fecc1baddc6ec3618edbf7879d6

Link:

https://www.unpac.me/results/913bcc54-80b7-4fda-922e-9b4d736f9780/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9671dbba9896/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9671dbba989625fb7bd1c0e0fb5c08eed3450152a963fab90ddd01c920a296e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.