MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523
SHA3-384 hash: 9a6ea7be5f1e00e932eb8344e56765a1a09e5aea4fa661040d3a2c9edc2ca2f168e245340e62869c31503c1eabff7b21
SHA1 hash: 11d9b3b8c3ae7c29acbe9c9632cd5841c0484ae6
MD5 hash: 4994b81914e971b77f0035c4de553aa4
humanhash: diet-august-grey-fifteen
File name:SecuriteInfo.com.W32.AIDetect.malware1.18449.3864
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'145'392 bytes
First seen:2022-08-01 10:44:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:URQfoPmReIWYS4+5k9iIXbV2U+Vp58L3jvv/oAad0H0Mq:UqS4+54Xh2Uub637dH0H
TLSH T1A8361233A2635190D1F98839C537BEE572FB0A3A8741A4B636E6FDC114339D1E22B587
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b4f464601919d99e (1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:JBL Słuchawki nauszne JBL `USA 00~9 Combo
Issuer:JBL Słuchawki nauszne JBL `USA 00~9 Combo
Algorithm:sha1WithRSAEncryption
Valid from:2022-07-30T11:02:22Z
Valid to:2032-07-31T11:02:22Z
Serial number: 78e3e80c29e8eab44d4db83cfd409fdf
Thumbprint Algorithm:SHA256
Thumbprint: cde2f162be8e706065340daf49db8eee3185995fdbc26aa3e60b5f58b913b943
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.19:80 https://threatfox.abuse.ch/ioc/840684/

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295540/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.18449.3864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/62e7aeb6bcf76fcb6cd7e7cc/reports/32f7003f-98fd-434d-b75b-95c1e8bfdace/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6afa7f3d-0c93-45c2-a89e-5438550d9cda
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044102
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 08:49:30 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqdpxhgrnajglqtymowocjy7ugi5t6x4ofo5dzgnszqhiv7nsurq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220801-mswmfsgfap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1d376bba9bb8f1d782567a2354928a8af3f367cab3c5a36bf63a0e620cc6357f
MD5 hash:
040ec1aafa4dcb8c4a3dce039e9cc1db
SHA1 hash:
ef5ea8883d7b975ce868658e5142d964da20629c
Link:
https://www.unpac.me/results/2d37239c-d786-4295-81dd-3e3cde81246c/
SH256 hash:
96c385a7d26002d4a040682ac783cdd5ab878c5a8f3636525cf8628c96067091
MD5 hash:
bce04130f6b1cc566db93aa29ba63211
SHA1 hash:
c72d5c7b63b8af3b561aa0d79ef5dcfb36534803
Link:
https://www.unpac.me/results/2d37239c-d786-4295-81dd-3e3cde81246c/
SH256 hash:
9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523
MD5 hash:
4994b81914e971b77f0035c4de553aa4
SHA1 hash:
11d9b3b8c3ae7c29acbe9c9632cd5841c0484ae6
Link:
https://www.unpac.me/results/2d37239c-d786-4295-81dd-3e3cde81246c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c06fb9cd168/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9c06fb9cd1681265c27863ace1271fa191d9fafc715dd1e4cd96607457ed9523

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2263231/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263302/
Cape
Cape
https://www.capesandbox.com/analysis/295540/

Comments