MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9731b7ff3fe2fcfbc0a95348eabc2ee5ad905a5f2431ba322dbcf54f3de115fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9731b7ff3fe2fcfbc0a95348eabc2ee5ad905a5f2431ba322dbcf54f3de115fb
SHA3-384 hash: ed54dc6c0b40c28c46d724d0bf8f6b42adf6e5bba397d2454a92320539ed9782d46ae085428eceb66883dbf0ee388b40
SHA1 hash: a740b228c2648d794ae6f1f8a2561a9a13b4b714
MD5 hash: e183528c28869ef263d53a537a813d91
humanhash: don-violet-orange-bluebird
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:406'032 bytes
First seen:2022-09-17 17:01:16 UTC
Last seen:2022-09-18 06:39:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a81b6ebaf09a8103e7d79617bf9c3ed (2 x RedLineStealer)
ssdeep 6144:FmV8Dm2iJtn4bjXUi01U/PbPpPvzZtHIMf7LWMmPU9MoKByzLYT5LU8Oc:3It4bjXUi01UHbxzZF3vlzut
Threatray 2'385 similar samples on MalwareBazaar
TLSH T112844B4BFB4382F3F52700F0649AFBBE81246102C8F6AE6BD9A4DD12F671A6D171125D
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc446543183_650800296?hash=MqIx4ZYeqx6onYkBC9cx2pe0fliBgBgYFPfETgPiz88&dl=GQ2DMNJUGMYTQMY:1663433380:OX1wpUPziBva7ZtZbfJmx4IqJvYXuolbZWvEk7d3JTP&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
12
# of downloads :
413
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-17 17:04:09 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5ce3939e-6c7a-4c51-8979-58a12a6c4332

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310970/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.17743.7336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/6325fe121183046074ac2c40/reports/1a6a7379-d19c-4ef8-aa20-80ab6b340d38/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b66ef9e9-826d-4b13-89ac-1ccd886b6b37
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072301
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 704843 Sample: file.exe Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 85 stratum-eu.rplant.xyz 2->85 87 pool-fr.rplant.xyz 2->87 111 Snort IDS alert for network traffic 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 5 other signatures 2->117 12 file.exe 1 2->12         started        15 MoUSO.exe 2->15         started        signatures3 process4 signatures5 141 Contains functionality to inject code into remote processes 12->141 143 Writes to foreign memory regions 12->143 145 Allocates memory in foreign processes 12->145 147 Injects a PE file into a foreign processes 12->147 17 AppLaunch.exe 15 7 12->17         started        22 conhost.exe 12->22         started        149 Antivirus detection for dropped file 15->149 151 Detected unpacking (changes PE section rights) 15->151 153 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->153 155 5 other signatures 15->155 process6 dnsIp7 81 77.73.134.27, 49720, 8163 FIBEROPTIXDE Kazakhstan 17->81 83 transfer.sh 144.76.136.153, 443, 49721, 49722 HETZNER-ASDE Germany 17->83 75 C:\Users\user\AppData\Local\...\up_setup.exe, PE32+ 17->75 dropped 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->121 123 Tries to harvest and steal browser information (history, passwords, etc) 17->123 125 Tries to steal Crypto Currency Wallets 17->125 24 up_setup.exe 1 17->24         started        file8 signatures9 process10 signatures11 127 Hijacks the control flow in another process 24->127 129 Writes to foreign memory regions 24->129 131 Allocates memory in foreign processes 24->131 133 2 other signatures 24->133 27 AppLaunch.exe 15 24->27         started        31 conhost.exe 24->31         started        process12 dnsIp13 93 transfer.sh 27->93 77 C:\Users\user\AppData\Local\...\wsetupo.exe, PE32 27->77 dropped 79 C:\Users\user\AppData\Local\Temp\wsetup.exe, PE32+ 27->79 dropped 33 wsetup.exe 1 27->33         started        37 wsetupo.exe 27->37         started        file14 process15 dnsIp16 69 C:\Windows\System32\drivers\etc\hosts, Non-ISO 33->69 dropped 71 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 33->71 dropped 95 Multi AV Scanner detection for dropped file 33->95 97 Query firmware table information (likely to detect VMs) 33->97 99 Modifies the hosts file 33->99 107 3 other signatures 33->107 40 cmd.exe 1 33->40         started        43 cmd.exe 1 33->43         started        45 powershell.exe 17 33->45         started        47 powershell.exe 34 33->47         started        89 dba692117be7b6d3480fe5220fdd58b38bf.xyz 104.21.17.54, 443, 49733, 49734 CLOUDFLARENETUS United States 37->89 91 192.168.2.1 unknown unknown 37->91 73 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 37->73 dropped 101 Antivirus detection for dropped file 37->101 103 Detected unpacking (changes PE section rights) 37->103 105 Performs DNS queries to domains with low reputation 37->105 109 4 other signatures 37->109 49 schtasks.exe 37->49         started        file17 signatures18 process19 signatures20 135 Uses cmd line tools excessively to alter registry or file data 40->135 137 Uses powercfg.exe to modify the power settings 40->137 139 Modifies power options to not sleep / hibernate 40->139 51 conhost.exe 40->51         started        53 sc.exe 40->53         started        65 9 other processes 40->65 55 conhost.exe 43->55         started        57 powercfg.exe 43->57         started        67 3 other processes 43->67 59 conhost.exe 45->59         started        61 conhost.exe 47->61         started        63 conhost.exe 49->63         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9731b7ff3fe2fcfbc0a95348eabc2ee5ad905a5f2431ba322dbcf54f3de115fb/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 17:02:06 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4y3p7z74l6pxqfjkneovpbo4wwzaws7eqy3umrnxt2u6ppbcx5q._file
Verdict:
malicious
Similar samples:
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
RedLineStealer
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
RedLineStealer
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
RedLineStealer
9ca85db909ababb84b0ea3fc5b0156dc01bb940999a91466cea93f683f53f11e
RedLineStealer
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
RedLineStealer
a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
RedLineStealer
bcec9d5bf1c3652cf5d200ff652c71c56cc17e59c99b320f7ae77c1e4f5b15db
RedLineStealer
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
RedLineStealer
+ 2'375 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220917-vj4wgaeaep/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/203512b7-cd35-439e-8e22-0c746e5336a3
Unpacked files
SH256 hash:
6091c020ed18b12644676878dfd9d2a6f337b0aaf0d8481c53a7854834910feb
MD5 hash:
9f4ef3f77f317e5e452030a6c98f701a
SHA1 hash:
f5881bf0bbc3ed6937ab26114827aef0900d170e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1745388c-f5d4-4637-8fe2-414c255d86fe/
SH256 hash:
9731b7ff3fe2fcfbc0a95348eabc2ee5ad905a5f2431ba322dbcf54f3de115fb
MD5 hash:
e183528c28869ef263d53a537a813d91
SHA1 hash:
a740b228c2648d794ae6f1f8a2561a9a13b4b714
Link:
https://www.unpac.me/results/1745388c-f5d4-4637-8fe2-414c255d86fe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9731b7ff3fe2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9731b7ff3fe2fcfbc0a95348eabc2ee5ad905a5f2431ba322dbcf54f3de115fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/310970/

Comments