MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b6e10183038e8b5b96901589e3235aae062e7e3d4aab6fc3acea667348734c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 3 File information Comments

SHA256 hash:	9b6e10183038e8b5b96901589e3235aae062e7e3d4aab6fc3acea667348734c2
SHA3-384 hash:	88d8fb9b0caf249a1317b8c1299811f6e7e0e98683b88b59b2f723cf894b485add4df2768c46fb9065872ca07ab8ae3f
SHA1 hash:	0a5e0aa4926da9be97728d8fc744d4b8a396a4b3
MD5 hash:	e26266240298c7bbd14a7f4bc7acf7f9
humanhash:	oscar-robert-potato-kentucky
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'332'224 bytes
First seen:	2022-10-28 20:26:30 UTC
Last seen:	2022-10-29 06:16:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1b62f5ec48faa08ab096dfae72734859 (36 x RedLineStealer, 5 x ArkeiStealer, 1 x PandaStealer)
ssdeep	24576:2+yGpBYhf6VgqFDErGSk0YCYl0kmiWMpL26gd+ePJj6a6WcgOzJ/o:TyGyhf6eqFDEaSPiUQ/o
Threatray	1'224 similar samples on MalwareBazaar
TLSH	T1C8554C3AE70614B4D76356B1C19EFE7BDB14B6348022AE3FFF46EA0CA4734126C85256
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc758682806_652711489?hash=pKoZo2QSOzMhvIYVKdTUklQi3x7efjCznSjZ0sEmHdz&dl=G42TQNRYGI4DANQ:1666988480:HAguzlES7bjMqXzmqPLytxzNt3Vct2jQVm1vz9y0faH&api=1&no_preview=1#test

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.15.156.86:37262	https://threatfox.abuse.ch/ioc/952614/

Intelligence

File Origin

# of uploads :

269

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-28 20:28:09 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7d381fe0-b506-41ec-a501-bc2ae0ab99e6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325642/

Detection(s):

Win.Dropper.Detected-9976151-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46435/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/635c3b17ce1f43143c29e529/reports/2eb0a006-7026-4381-9884-78af33305e43/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f095cdd-27aa-42aa-975f-c945ed5bd051

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1100625

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b6e10183038e8b5b96901589e3235aae062e7e3d4aab6fc3acea667348734c2/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-28 21:12:41 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tnxbagbqhdulloljafmj4mrvvlqgfz7d2svln7b2z2tgonehgtba._file

Verdict:

malicious

RedLineStealer

1db704f3f9fe100025e28edf65664262a7c3a75d8bd302bd2c4ab2d73cc53be7

RedLineStealer

5f7be64cd64916c531655eafbdc55a88fb66f0d88e5a0a0f7e0bba5e98e411c8

RedLineStealer

9f2faf80c55e7e5cd33efc4e1348bec3b46080841e03e3186c658362162b2904

RedLineStealer

c58b9d97ff53dc98c4e1d58ed402f4831e6c949d99c5a42d92bb10e8b5b00f3f

RedLineStealer

ff4349856d76d02882e6affb27c70553dcdca030a4efbaf051a1f4edfe7183ec

RedLineStealer

+ 1'214 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:3 infostealer spyware

Link:

https://tria.ge/reports/221028-y8ejnaebd8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

45.15.156.86:37262

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d0244028-3097-4585-b1b4-0fade8435e3d

Unpacked files

SH256 hash:

63761d1445c91f9cf062679f089331f8ba7d42af7bc94b179a33932591e88111

MD5 hash:

17b4ed5a962d8167d573cc4356af8cad

SHA1 hash:

9394814ac2cfed35605d50e8205816296617d6d7

Detections:

redline

Link:

https://www.unpac.me/results/ad8ab36d-0bc2-4da0-ab5c-9f38a216f194/

SH256 hash:

9b6e10183038e8b5b96901589e3235aae062e7e3d4aab6fc3acea667348734c2

MD5 hash:

e26266240298c7bbd14a7f4bc7acf7f9

SHA1 hash:

0a5e0aa4926da9be97728d8fc744d4b8a396a4b3

Link:

https://www.unpac.me/results/ad8ab36d-0bc2-4da0-ab5c-9f38a216f194/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b6e10183038e8b5b96901589e3235aae062e7e3d4aab6fc3acea667348734c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/325642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample