MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0
SHA3-384 hash: e396c98f4f7fa64a8b3e23db4cc67ec3b2b8a4a7734540ddd5164a0636d6adcb48e248e71a73c82d66d79ba8f525c35f
SHA1 hash: 51c632e2ef40f861d856aea4ebf1bbcb7654cd8c
MD5 hash: 85f492b9a35274b6b3c897546385de67
humanhash: hot-social-twelve-colorado
File name:85f492b9a35274b6b3c897546385de67
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:608'932 bytes
First seen:2022-04-08 06:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XA/M5WiefreD54H5m32o0GuJ4xlTq+09k:XtWinKmGVNOxlTql9k
Threatray 3'872 similar samples on MalwareBazaar
TLSH T185D49D15A7B82F67D17E9736D4316060C7FAF6476621EBDE7CE000D806B2FA28B61712
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
85f492b9a35274b6b3c897546385de67
Verdict:
Malicious activity
Analysis date:
2022-04-08 08:06:27 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4dfe3e08-7643-458d-b20b-969557b00046

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261897/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1282.14410.9617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/624fdc15cccdcb9947293c97/reports/d49e4917-8469-458f-a663-4b7a9d19d5b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c795f3a2-b751-4815-b6e0-e812c91735bb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972910
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-04 23:49:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7qvg4kdp4ddb7evjlthusxd3jiuzmrsxf6n4zc5ffwhej7ij7aa._file
Verdict:
malicious
Similar samples:
328549d9e6747ecf3feea8208902a2ba90f4918284066b24843d20eecd219ab9
RedLineStealer
5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae
RedLineStealer
6cc6029fbc87ed9a7c025317a6d9eff0fe0049a8ba647551efcaea78ed2a1eaf
RedLineStealer
cdadc76f61382593d88182fc8d09eb68d39c5ecddc5c13e8c45341615bc91b21
RedLineStealer
def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e
RedLineStealer
ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc
RedLineStealer
f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192
RedLineStealer
+ 3'862 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220408-hn73gaheg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
78.24.216.5:12794
Unpacked files
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
SH256 hash:
f4f263514346ddca8d7a838aff4e439799c2bd0a2879c4426bcaf5b83460f0e6
MD5 hash:
55f4ae47a8c3e409939d37eabe669870
SHA1 hash:
999f1a288b323bd0e22cb6b3caeb0dbe6e47a35c
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
SH256 hash:
36faff729fd0a37cfff3ab74d66042a856fe7dddc6f62aa58c0cad7fd87030ab
MD5 hash:
5e18e0c3fdee28645c296d64a193e10d
SHA1 hash:
9633265833b1dc4db98e96f4ea2a163198d9b874
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
SH256 hash:
2d3d79965afb82c0bbda90e352e0b6df2f5653b3c35b25e7d3ea57b41c2db350
MD5 hash:
4f55afaccba1ec55a219fe3d6cec6e88
SHA1 hash:
05faf20a5ffc39c76dd84d73015ccf95ea31d19f
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
SH256 hash:
97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0
MD5 hash:
85f492b9a35274b6b3c897546385de67
SHA1 hash:
51c632e2ef40f861d856aea4ebf1bbcb7654cd8c
Link:
https://www.unpac.me/results/cd412cf3-b19c-4d77-8c38-2791a89dcfe4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/97e15371437f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 97e15371437f0630fc954ae67a4ae3da514cb232b97cde645d296c7227e84fc0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2136804/
Cape
Cape
https://www.capesandbox.com/analysis/261897/

Comments


Avatar
zbet commented on 2022-04-08 06:53:46 UTC

url : hxxp://107.189.6.214/q3bVevNo/6432.exe