MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
SHA3-384 hash: e3efaf4b5bd261113cd2d1557fb7c1642525c826224e73351e6e133b87ad07c9ebcd015c09702d297ca58568af9f05c9
SHA1 hash: 00c49f91aff2611a963f354dcf3cd69e29cc772e
MD5 hash: af216e631d1a1b02568bcaed35fe5195
humanhash: alabama-william-queen-orange
File name:SecuriteInfo.com.Variant.Ser.Zusy.3748.32584.28190
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'646'646 bytes
First seen:2022-12-13 03:28:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d829a66cf4812bc6fec5eaec0b3e1b2c (1 x RedLineStealer)
ssdeep 24576:MFCYBGcAEbM/sNqshAEhmvIsM/sNqshAEhmvIsM/sNqshAEhmvIsM/sNqshAEhmd:MFCps1hmvIps1hmvIps1hmvIps1hmvIe
Threatray 12'066 similar samples on MalwareBazaar
TLSH T1AB750233A5C1D2BAFFB120FA0DEB2D06593CF6085B5221CB21E0A6995F9D6D02B37574
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Ser.Zusy.3748.32584.28190
Verdict:
Malicious activity
Analysis date:
2022-12-13 03:30:39 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/9fd9dc6e-0841-4522-9fcf-85c9a6a14b9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345703/
Detection(s):
SecuriteInfo.com.Variant.Ser.Zusy.3748.32584.28190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6397f18004e0e79bdf4297f9/reports/d3436570-c86e-4307-9e64-b86bbf147898/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c5578ae-7ed6-4b64-84de-b91085d65c69
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133176
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 03:29:09 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjtwykcewxmzbkxt4nfuy4awf3g2zi4j3emyzmjlizliv5ydi6tq._file
Verdict:
malicious
Similar samples:
49e6332a5d2c1bf27e7d6c2343c35b9d98c39d6c8bb203b9e2fff4234496becb
RedLineStealer
690adc3179ac3706f31fc1acae2dce51011d1ccea5cf24cd73b8f49fa9e7ffc0
RedLineStealer
6ac2bc6b4e2357f73783d914f9a1cd56563c69c8f3eb9d4dff182a83b5378f29
RedLineStealer
7b4ba9c557949310d6283bcef6613cb577ef3a043647df094c2e3bfc3832da3a
RedLineStealer
91791f09eeafec7c137dd6f43d990a6475510ee67a76474f20d1012c023727d3
RedLineStealer
c20ccf287acc446472287bc6f3370ade587831c6cc677e8ca1131005f9a89dfe
RedLineStealer
c85256fef5467ac50c978ef721ee7b93577df33ebed17b6e01249a37c3d9f38e
RedLineStealer
e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
RedLineStealer
f40d28a5ad690a3fa3fded93e6fae91bcf61f896871fff9b4687611c58c1dee2
RedLineStealer
fb8188ffb0cf446d8a43dafc15adc94f590f3bbef120b92e950d0acc230de7bd
RedLineStealer
+ 12'056 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cesar discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221213-d1w4hsgc2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.134.54:19123
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9d06828c-48e6-44dc-8d86-2c2984a211d5
Unpacked files
SH256 hash:
51257d018ff4ce5ae8206d9665b6c34ca133401e54fd8d36fd80285fa93102c4
MD5 hash:
312b1b1fdc576caa1a593ec774b609be
SHA1 hash:
8fd0e07472252b934f74584977791d60bf3b4968
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a03679df-1637-42cc-9bcc-5e342d05c8b3/
Parent samples :
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
SH256 hash:
ace78ea250664c65701a77d971ba6b7c66e7d02f29c7dae29fc8e4629b610130
MD5 hash:
2776d9e063f6cdd8286a736770eb2b62
SHA1 hash:
450ef060b6dd41b31a265e2898d478a5b18896f8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a03679df-1637-42cc-9bcc-5e342d05c8b3/
Parent samples :
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
SH256 hash:
de02de9a91ec1f2570038002ed64632d2daf9474665141f47492820a95ea8107
MD5 hash:
03510c228269d218b3d198ebcab59d0e
SHA1 hash:
458831b85e352682cc0511e7cfec3cfcfcdd0b0c
Link:
https://www.unpac.me/results/a03679df-1637-42cc-9bcc-5e342d05c8b3/
SH256 hash:
f702f304432452efa278d5c3ad785edfb099e7738723a7fda56bec8f97bfd18c
MD5 hash:
73a9c54b669d42ab2bf97da70a1a9994
SHA1 hash:
393c5645ada0fab8a1b634bd688f0d14414e596d
Link:
https://www.unpac.me/results/a03679df-1637-42cc-9bcc-5e342d05c8b3/
SH256 hash:
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
MD5 hash:
af216e631d1a1b02568bcaed35fe5195
SHA1 hash:
00c49f91aff2611a963f354dcf3cd69e29cc772e
Link:
https://www.unpac.me/results/a03679df-1637-42cc-9bcc-5e342d05c8b3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a676c2844b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2455499/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345703/

Comments