MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37
SHA3-384 hash: 7eb316482085f25e7ba7719629de5a247a48e710c7d7f83837d5a13fb02c3d8bfcdcd2d45e64064872b8747e59bc9287
SHA1 hash: b0185ccbf1c446b4c0a4d9d3fe1ce5adff6c6b71
MD5 hash: a03a882147c3a5dc681203c9f2089968
humanhash: high-stream-tennessee-ohio
File name:a03a882147c3a5dc681203c9f2089968
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:346'624 bytes
First seen:2021-09-04 11:33:07 UTC
Last seen:2021-09-04 13:20:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 69664ea36ab9a3e93e02fa2b7fdf56ab (4 x Stop, 3 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 6144:S2L7FjtfM7L0wUb/SHUWWKXsRnfN9vtEp1VoeLZzDd0f9a:rdtfM7LSb/uUWWh11rElr0f
Threatray 5'575 similar samples on MalwareBazaar
TLSH T13B74BE30BA90C036F5F725F459B692B8B5287EB1572450CFA3C46AE927346E8EC31787
dhash icon e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a03a882147c3a5dc681203c9f2089968
Verdict:
Malicious activity
Analysis date:
2021-09-04 11:33:42 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/97f09c90-a801-4d03-a1c3-84e9d50345db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185298/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6969.31644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Sending a UDP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b111920e-67cb-490b-9ea3-240e44033a7b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/845246
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 11:34:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s537ftye4jqane4bpnfghx5m42ra7565noye3srk6at4kebrrq3q._file
Verdict:
malicious
Similar samples:
0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5
RedLineStealer
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RedLineStealer
7d94e232d215d5e0aeda7f612c0b23aa13ee0591cbc9edfaf8bd69e6b311fc5e
RedLineStealer
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
RedLineStealer
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
RedLineStealer
b16312efaa5c99706690f35e9ca41748c7ac793ff06e9d4f5ece91c960d25ff5
RedLineStealer
+ 5'565 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nova discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210904-npe1zahcfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.142.77.129:60601
Unpacked files
SH256 hash:
54099db64ec7041cda5ab4605a2e63cd0f2eb50d89d8a78f88583604f62bfe6f
MD5 hash:
02c98030d48bdc0a1886895b98e864ec
SHA1 hash:
dce28d48957a16e72bd963fcea535c9294fba1bb
Link:
https://www.unpac.me/results/d7001e5d-dbbf-42c6-af46-45dd47d6f2d0/
SH256 hash:
88d6c80bef17b23b9606ce3202f90ef73b0b21f8062e9e41b89ef38afb26aa8c
MD5 hash:
c6354fc464ac758a73cbc5cfe25de0bb
SHA1 hash:
b80808744ed1d630b84ee99ef76077a288652c7c
Link:
https://www.unpac.me/results/d7001e5d-dbbf-42c6-af46-45dd47d6f2d0/
SH256 hash:
9041bee4a27445c0360e19ddbd300f95df59c7ca0bd3632456485c0c57e22b09
MD5 hash:
31c9d3357bcb96935f2fb3ce340cd953
SHA1 hash:
2102dc9fcbe74a93b78b66cd490dc49f965918b3
Link:
https://www.unpac.me/results/d7001e5d-dbbf-42c6-af46-45dd47d6f2d0/
SH256 hash:
9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37
MD5 hash:
a03a882147c3a5dc681203c9f2089968
SHA1 hash:
b0185ccbf1c446b4c0a4d9d3fe1ce5adff6c6b71
Link:
https://www.unpac.me/results/d7001e5d-dbbf-42c6-af46-45dd47d6f2d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185298/

Comments


Avatar
zbet commented on 2021-09-04 11:33:08 UTC

url : hxxp://185.255.120.26/forum/pics/sefile2.exe