MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1
SHA3-384 hash:	636e76a8e54ae582cc1b94450fd137c790ca08eab5d1ad5c563061e02104980e154404c8f3746806d8d309d70488a2a3
SHA1 hash:	7c886ad5ab69206f22075d6b8c778dc5e514d4fa
MD5 hash:	878be304021282447ed5bb97ef5bc889
humanhash:	london-oregon-zulu-helium
File name:	878be304021282447ed5bb97ef5bc889.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'167'872 bytes
First seen:	2021-10-20 06:22:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:jcGQJ8yL7NNB+4F0PY24OAMRMOOYNE2jTnHinTI4:jc+4t2vXAUMOOoDKI
Threatray	29 similar samples on MalwareBazaar
TLSH	T1204523D119ED50FDE2D035B9862B4ECDF1287E311AA049934AE437390772ED33AAE274
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2.exe

Verdict:

Malicious activity

Analysis date:

2021-10-19 18:08:38 UTC

Tags:

evasion trojan opendir rat redline loader stealer vidar raccoon

Link:

https://app.any.run/tasks/b87629a5-febc-4705-95b9-5114652076a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

EnigmaStub

Link:

https://www.capesandbox.com/analysis/198714/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

Win.Trojan.Darkkomet-6992917-0

Win.Malware.Enigma-9786119-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/616fb6db9a5a1e91c5c7016e/reports/bdbf9dde-b738-437b-9e39-56cc4731bce0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16c7140d-cf3a-4846-9087-705b60b3a8ae

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/873673

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-10-19 17:28:22 UTC

AV detection:

23 of 43 (53.49%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s4zjizjcexk7u7wwni44fqfr54vvdalj6eyaziaqtrq43zk5gxyq._file

Verdict:

malicious

RedLineStealer

732ba56b4b4044d7356b745db037e41fafe74dd8610e29c5b8c811a18936c09a

RedLineStealer

7ec599424a161fe942345c2336dd0cfb8c7d64e6e72b8e90efd999328b06cc04

RedLineStealer

953dd19700177beaf848e510418db83c8481ce466819c7052be8d93974ce3191

RedLineStealer

b7392c844ea9854c632bedf6f9b4b2ebca5878a5771ba81c13d8ae8c4a48f29d

RedLineStealer

d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d

RedLineStealer

dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84

RedLineStealer

fca3a8527a1f895a5aa06d5cec9ba6be6644ae8ba144a0f3be590f4c4e761cfe

RedLineStealer

+ 19 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/211020-g5gfeagfd4/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1

MD5 hash:

878be304021282447ed5bb97ef5bc889

SHA1 hash:

7c886ad5ab69206f22075d6b8c778dc5e514d4fa

Link:

https://www.unpac.me/results/925b0ba5-84ed-47a0-a931-59248560fbf9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/973294652225/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_Honker__builder_shift_SkinH Create hunting rule
Author:	Florian Roth
Description:	Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
Reference:	Disclosed CN Honker Pentest Toolset

Rule name:	CN_Honker__builder_shift_SkinH_RID32C6 Create hunting rule
Author:	Florian Roth
Description:	Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
Reference:	Disclosed CN Honker Pentest Toolset

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/198714/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample