MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 978e91c1a1ab273aecebfa1a686a0110b3431fd1745034814673c86904909b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 6 File information Comments

SHA256 hash:	978e91c1a1ab273aecebfa1a686a0110b3431fd1745034814673c86904909b71
SHA3-384 hash:	6d574788a17c186ca1d343bf55357b06d537a7a4be56836937517016aabd1cc20b07bd0e8574657869d8a9be8ac46797
SHA1 hash:	c8f964a91face046fb9e22f56c23ce9834ca9627
MD5 hash:	cd96d77570fa7a0fb6b7bf2f221f4f0d
humanhash:	hot-white-pip-vegan
File name:	Installer 2.0.rar
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'733'355 bytes
First seen:	2022-09-22 22:10:03 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:WntPs6tYHqVDX6+eRaYKYOSfMI6wM2yGpddkJPQRmreCmf6oStu7qLXKiRYL8+WI:+ZLmqVDNe1xRZCTu7qLXKiRYa4tl3x
TLSH	T151C519135A8B0D79CDD277B4A1CB633AA734ED30CA2A9B7FB708C43959532C56C1A742
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	iam_py_test
Tags:	rar RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

File Archive Information

This file archive contains 11 file(s), sorted by their relevance:

File name:	41
File size:	7'680 bytes
SHA256 hash:	5dd8c6691f174d203dd578c4cf46e18817b8f8400eb0ee5fe31e0ba1bfec7902
MD5 hash:	b2193045c3b863b554b65a20724f27cf
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	80
File size:	1'024 bytes
SHA256 hash:	9752af846f16eadadd106c3dd3ef55b9ad860d0fce49ed412a330144f0fdc3ad
MD5 hash:	c389ff0d278f3df4581a7c305686cf61
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	Installer 2.0.exe
File size:	2'733'180 bytes
SHA256 hash:	40b8d2368df2682276c4040a796a2e3197877002cfc36e95e3f929d0e91c9ad4
MD5 hash:	ec42526811236af065d26632d2b2cbba
MIME type:	application/x-dosexec
Signature	RedLineStealer

File name:	4
File size:	251'904 bytes
SHA256 hash:	47df0d8ee1c920f15fe6c911b48fc66691c6c6ecf588359b0babc282ef811a57
MD5 hash:	663895f73a466871ce63a6ff83240684
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	91
File size:	46'080 bytes
SHA256 hash:	28351b814f6de3c7e4c7db4f53f8122017d25b7a78c2ddacd81a1bf40d194cd0
MD5 hash:	5ee594b6a6815f5b1eb59e881f7e0af4
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	55
File size:	26'624 bytes
SHA256 hash:	1796d08e981389052e8637743578fa8f0a532d06242bcddaa0c7b8cc174bc67f
MD5 hash:	5fbc5578a151b733fcfc1bc083fa0402
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	COFF_SYMBOLS
File size:	1'153'660 bytes
SHA256 hash:	418fdec4a6caa0d1918faa556188eede5ff08142f270bf5d23c9d0c30e0133a9
MD5 hash:	0e2f369df8285ef1f92259142a773c4f
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	14
File size:	512 bytes
SHA256 hash:	31eeca3468fa039d38f088a8b6b0ba0e4954eb10e3854d10976503311d185fb4
MD5 hash:	b9ac0fd156b2bf9cec8db6f6e8a5ca9b
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	67
File size:	512 bytes
SHA256 hash:	f39396344a9be568dd144b13d06e472ec1f3381f52dabc95bf6a4676fd40fdc4
MD5 hash:	f4420fd17eba1b6217e2b6fb85941819
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	29
File size:	164'864 bytes
SHA256 hash:	5a731b437eaaf56d902e44a3a791a718b9a4b0c93c042a815e945737b35dfee5
MD5 hash:	d5f0ac002a411b5cd04736d0aec86b6b
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	102
File size:	5'120 bytes
SHA256 hash:	81c37fec3d0a14ae52c2f96f4b88ac336753e9ae238235b1c0592217af4ef456
MD5 hash:	3135e56289b1e0428e828e91c46d6067
MIME type:	application/octet-stream
Signature	RedLineStealer

Vendor Threat Intelligence

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/978e91c1a1ab273aecebfa1a686a0110b3431fd1745034814673c86904909b71/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2022-09-22 22:09:48 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s6hjdqnbvmttv3hl7ingq2qbcczugh6roridjakgopegsbeqtnyq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@akkkerman infostealer spyware

Link:

https://tria.ge/reports/220922-13draagbgm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

77.73.134.24:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/978e91c1a1ab273aecebfa1a686a0110b3431fd1745034814673c86904909b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar 5cdb65cf746abb51242f89647866dcc62e518e9085b5a593b9839a224587b62e

RedLineStealer

rar 978e91c1a1ab273aecebfa1a686a0110b3431fd1745034814673c86904909b71

(this sample)

RedLineStealer

exe 40b8d2368df2682276c4040a796a2e3197877002cfc36e95e3f929d0e91c9ad4

Dropping

SHA256 40b8d2368df2682276c4040a796a2e3197877002cfc36e95e3f929d0e91c9ad4

Dropped by

SHA256 5cdb65cf746abb51242f89647866dcc62e518e9085b5a593b9839a224587b62e

Delivery method

Distributed via web download

Dropping

MD5 ec42526811236af065d26632d2b2cbba

Dropped by

MD5 fe9d939602fa487c9a4debf48cfc0d3d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample