MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9965fcde1505056f460b5a9a8b2088df03eaf81ae152defc89496986bfd2dc7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	9965fcde1505056f460b5a9a8b2088df03eaf81ae152defc89496986bfd2dc7c
SHA3-384 hash:	81f3a90df6c61c0485037cb711e3c8043317dbf8eacdc976f67fd91d7e014a16f122cc6cefc11c050cc1a6847240ebe2
SHA1 hash:	a39f1cd889bc381a26c4730be2e094e5bb69c899
MD5 hash:	40ff0abc42c57f7812f3805ede7bd545
humanhash:	one-kilo-nevada-twelve
File name:	40ff0abc42c57f7812f3805ede7bd545
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	416'256 bytes
First seen:	2022-05-27 18:35:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	936051dc8adff508935df6441a5fb70e (4 x RedLineStealer)
ssdeep	6144:5j00OVDL5ukCUhrK27B4x5BOhld7AyKdAMSnqpJ0Dlt25wqigavwVf:5cDL5+UhrK2105BAGdAMSqQDjV
Threatray	6'454 similar samples on MalwareBazaar
TLSH	T18A94E1217290DC31D4527E30887386BD6B3BB862E230544FF794B71E6EB2781AA62757
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea68c9ccc (15 x RedLineStealer, 13 x Smoke Loader, 5 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

788

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

40ff0abc42c57f7812f3805ede7bd545

Verdict:

Malicious activity

Analysis date:

2022-05-27 18:42:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a6aeb645-6b77-40c9-8585-99acc097dd8f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275090/

Detection(s):

Win.Trojan.Generic-9950428-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/629119f66bd27afab46620b8/reports/9830828b-5c47-493b-8aa4-1180b3366425/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9fdf4509-ffbf-4f65-816d-5fd2c1b615d5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1002880

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9965fcde1505056f460b5a9a8b2088df03eaf81ae152defc89496986bfd2dc7c/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-05-27 18:36:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tfs7zxqvaucw6rqllkniwiei34b6v6a24fjn57ejjfuynp6s3r6a._file

Verdict:

malicious

RedLineStealer

5673773206126f12f4692e91c084b927357d9cf5fa3d5c312d89c9942b5c90fe

RedLineStealer

5fd46b0d3207b06f1575d40854fc514235485cc242428f07d6b06b9b3081112f

RedLineStealer

680d3d516b0ef08572b192250d25ed8b15b56e0395014256ee9714969f95517a

RedLineStealer

8a0241fb0a7b532549280c4e8e3b0a41b10ed54130c3210669ae0319b37f1547

RedLineStealer

a61d991d01857b94696c896e5f0a9b5a5537d7f7bdfa342551f88fc6c865d3ad

RedLineStealer

ab9076d2fc3411897b5db85ac2c3c5fa791049b2f98b92dcf059fd0f48d4262a

RedLineStealer

cdc14c6c7e3ab6373baf5031c597d302f68791ed3b0a98e446b150a1f22c8d0f

RedLineStealer

d387247c7e6901ab07a1e3d42e6840b927939c861292e6ea5e8e4c51c390d3a2

RedLineStealer

+ 6'444 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:aws1 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220527-w8xdcsgch2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.201:21921

Unpacked files

SH256 hash:

9f02c6084c920c19c2eb47c6922e0e7dc241632260d1d46b88c62daa9b94d7a4

MD5 hash:

fd567e71d0745e4f815e0a05357ee924

SHA1 hash:

b5de4e8fc2e9f36df0990e6055967781c2fbc39f

Link:

https://www.unpac.me/results/12758844-e513-460e-863a-fea8250d62b7/

SH256 hash:

f98e473ece2f4bf4c6c6bbc2b3b9fe2fc046d51138267a85a10d5590f5de7cd6

MD5 hash:

0ae58270aacfb174f4c40faf86cb9439

SHA1 hash:

997e22cb34794b1e0d4ac66479f950c83f037fc8

Link:

https://www.unpac.me/results/12758844-e513-460e-863a-fea8250d62b7/

SH256 hash:

92963324a80afc083286097cf3a4ede06eb215c97e1625f3a4b0146d316fd2f9

MD5 hash:

cac01c348864feb25bfbebf288956cb9

SHA1 hash:

8045dc750fdf204017f66c8510a547f890bc5df7

Link:

https://www.unpac.me/results/12758844-e513-460e-863a-fea8250d62b7/

SH256 hash:

9965fcde1505056f460b5a9a8b2088df03eaf81ae152defc89496986bfd2dc7c

MD5 hash:

40ff0abc42c57f7812f3805ede7bd545

SHA1 hash:

a39f1cd889bc381a26c4730be2e094e5bb69c899

Link:

https://www.unpac.me/results/12758844-e513-460e-863a-fea8250d62b7/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9965fcde1505/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9965fcde1505056f460b5a9a8b2088df03eaf81ae152defc89496986bfd2dc7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.