MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453
SHA3-384 hash: 3e367e6e72e7c31647f36685641a2338a9c680f4162dcecb68dd83252d7699e60ce9202e9a8967d9ba921d7caee4bcce
SHA1 hash: 72cb44ae26858e01e983f5805831aed90c613f0e
MD5 hash: bbbbd928e2f836778602dfe4f058089e
humanhash: mountain-golf-two-texas
File name:Wayfarer_v1.2.8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'365'824 bytes
First seen:2022-11-13 18:04:51 UTC
Last seen:2022-11-13 19:48:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ddf84c72581c0b846f8f339ddd2ec46 (2 x RedLineStealer)
ssdeep 98304:BOwOIMlNc8k7kfpaLWGEdKDt1Wb4MouaL62T6uDto751ij:0wOIR8k7kRgEIDiDo5+2075
Threatray 545 similar samples on MalwareBazaar
TLSH T17B1622F326160041D3E588398537FDBCB1F2EA6E4A7DEBF9B9D579C624324A4E102907
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b0f0cc0f8f8cc8d0 (1 x RedLineStealer, 1 x AsyncRAT)
Reporter iamdeadlyz
Tags:exe FakeSolantasy RedLineStealer SpaceDeepy Wayfarer


Avatar
Iamdeadlyz
From spacedeepy.com (impersonation of solantasy.com and oxocapital.fund)
h/t to fireflyframer
RedLineStealer C&C: 77.73.134.13:3660

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Wayfarer_v1.2.8.exe
Verdict:
Malicious activity
Analysis date:
2022-11-13 18:07:34 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c31d0f61-04e5-4c33-b2b7-7468085094ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333398/
Detection(s):
SecuriteInfo.com.Variant.Tedy.232267.18456.26624.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52094/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637131d07662ecf1083a04e8/reports/39e8fd88-191c-45af-af37-c79944d36d60/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/80728ec9-6c3a-4174-8423-0ec30f11db7c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1112392
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453/
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-11-13 18:05:14 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6ldh32tq2sdq3mgfkdegiigo3wisokaegzfcotj4vmi75nusrjq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0e54ac912d63167d1852e5748e20c5ed17aea2f8cf040d2d314977290269a4a5
RedLineStealer
3234c3c53d5855f8254f29b38eca254539719baafe036b2ab13727388c202cbf
RedLineStealer
4458a1f6050e6dda81597624cd2464ec0ee79d1021384420d9f0462695d2f8dc
RedLineStealer
4b5a598b5e2af1b348ebe4402c8316cbe90bfa554cd3b90be43a4e0e4fe8012e
RedLineStealer
4ed816ceb9a33048fb8593a7db3a16c93229ee4062d347702edb514908343c23
RedLineStealer
dbec57abc15cb077528aae8afe7bfbc5f8e16f819d04a35d85c0d09ea19c1867
RedLineStealer
fd2c1c862d97d4e8222a472509e53d5fedd4876c6e037224410cacb9c671a6a9
RedLineStealer
+ 535 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/221113-wn6fjafd3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
RedLine
RedLine payload
Unpacked files
SH256 hash:
5137f95dcd46e121fcfbac1214a15d463abd68dba2ae9c68d3a8f8d812713e59
MD5 hash:
ad1619c218d638a3b6176e2aa60f27cb
SHA1 hash:
c12f10f8d06bdcfc05362da1a018eb9d9d572c6f
Link:
https://www.unpac.me/results/61b5f7ad-ae47-4cd8-8cb5-634898993237/
SH256 hash:
f88ae0b4c1574508419f80aacf2822797ec2b8648b777afbd414ccc5e0d8313a
MD5 hash:
005bfbd6c74ac0b9763581894a9b5829
SHA1 hash:
ad7f99084d234b79c5b83a82c97b1f8738d4457a
Link:
https://www.unpac.me/results/61b5f7ad-ae47-4cd8-8cb5-634898993237/
SH256 hash:
979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453
MD5 hash:
bbbbd928e2f836778602dfe4f058089e
SHA1 hash:
72cb44ae26858e01e983f5805831aed90c613f0e
Link:
https://www.unpac.me/results/61b5f7ad-ae47-4cd8-8cb5-634898993237/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip 86ea564e8b1f94c597ad594c40f3a49f763a18f697f7a21879ed296365b860d3

RedLineStealer

Executable exe 979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453

(this sample)

  
Dropped by
SHA256 86ea564e8b1f94c597ad594c40f3a49f763a18f697f7a21879ed296365b860d3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333398/
  
URLhaus
https://urlhaus.abuse.ch/url/2409914/
  
Dropped by
MD5 5e2fb444919df46bf6cf6558fa930076

Comments