MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de
SHA3-384 hash:	9801744670478e64df34bf5f1d4cc2a10a6ec9cfd4eeacbfabed5f8f7545d5ab4025d71b6d05b84e286fdff4c71a60f0
SHA1 hash:	284fbc5d684d6b61c8c010d2374614b99baaa7a6
MD5 hash:	9f1ca6ed11c1b9fc386d5d766495d8cb
humanhash:	aspen-comet-wyoming-aspen
File name:	9f1ca6ed11c1b9fc386d5d766495d8cb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	642'560 bytes
First seen:	2022-03-31 09:28:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	58b5b612d2da1ed4f1d880f59853b70d (4 x Stop, 1 x RedLineStealer)
ssdeep	12288:xLIUNpuK0ZegJbZHCy29/HJStmgD1UjSQw0jRKt6LqtS7J3opF:x/i9HJvAMtQw0jAZtS7JWF
TLSH	T17DD4F110BB90D035F2B726F54979E3A8B93EB9B15B3494CB62D416EE56346E0EC30353
File icon (PE):
dhash icon	badacaaecee6baa2 (3 x RedLineStealer, 2 x RaccoonStealer, 2 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/260008/

Detection(s):

Win.Packed.Ransomx-9942692-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Query of malicious DNS domain

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12175/overview

Behaviour

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/624574299253b276b7b1ee32/reports/baa29344-ed34-41bd-9517-4118a95900d3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLineStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6002c71-e8a3-4e37-bf73-bdbbfaae7df3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968143

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-31 09:29:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix31.03 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220331-lfbk3shff7/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

60df1c667578f94767b966eebee81c35536a397e63b4dc30ee61ed9723f90ccb

MD5 hash:

68682c3f3e1194bb9be52625eb653c3c

SHA1 hash:

c26bd920190c6fa3606b0463ae6d2311ac8b70e3

Link:

https://www.unpac.me/results/d9796303-ddae-4171-9219-5e08f13e25c5/

SH256 hash:

9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de

MD5 hash:

9f1ca6ed11c1b9fc386d5d766495d8cb

SHA1 hash:

284fbc5d684d6b61c8c010d2374614b99baaa7a6

Link:

https://www.unpac.me/results/d9796303-ddae-4171-9219-5e08f13e25c5/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9bfb584b658b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 9bfb584b658b14859af7478cafb28b1baed60141566056a22f239d80d6fce9de

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2114587/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/260008/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample