MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2
SHA3-384 hash: d6bc72f4027d5507c167503c62e55f2876df87407a46ff86f410d21c8285aa9a64082aa142e4525d4fa95295319b5aca
SHA1 hash: f68c1ba33035486644a48040310d036bc08bb04b
MD5 hash: 9e16bdb0e41a5fea9f946f08c5dbadd1
humanhash: dakota-ceiling-georgia-fruit
File name:9e16bdb0e41a5fea9f946f08c5dbadd1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'931'840 bytes
First seen:2021-06-27 11:10:10 UTC
Last seen:2021-06-27 11:34:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:e8aLyjsqO1brwerQIWONYxBqSOFdOLwfAyX0gV2ozVwTGhP2un:ehcsl5rweFWONYxcSM5kh2VwTg9
Threatray 135 similar samples on MalwareBazaar
TLSH 219527893B9F83E1F7E4F5B1707A127E0E282E5634E1BF8DBF58B14D062A94358A0D51
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.81:28578

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.81:28578 https://threatfox.abuse.ch/ioc/154212/

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://topkeygen.com
Verdict:
Malicious activity
Analysis date:
2021-06-26 22:55:41 UTC
Tags:
loader evasion stealer trojan rat redline vidar phishing ficker danabot
Link:
https://app.any.run/tasks/0a6cf257-1130-4114-9728-5b616bd09b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PhishTank.Phishing.6846136.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28da04ad-bf5e-43fc-a72c-083ecf154ed1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/808540
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 19:22:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tq55lex4twqq74vtbnz7egk3vuq56vxti7wkeaizathw2afjuxra._file
Verdict:
unknown
Similar samples:
0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c
RedLineStealer
1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20
RedLineStealer
27ff5c94ac88e4473fcfd223818a8d39860cbe0cf2220c28d490c6536aeeba96
RedLineStealer
2cd722bc4e448f38f4e79e69a48a7fc3f92c09586e50bc0f3f9f8dc5f4495fcc
RedLineStealer
3c47f8bdb6cb223b1b28ad2401962949c90f1780028be03d775b7d4322aef6f0
RedLineStealer
6f17b58e1488f1767e4abb7e1d748a5aa2e6f29899814c019cb3418af9a0d536
RedLineStealer
74c4b564a26e029db5ade50a19a6f1e2c83d9ad7eb4a42cf9c8d54d0408d1b2e
RedLineStealer
796641693606c51475b6f29a63a9568729b097660ea2cfd9e15b610325dd0b93
RedLineStealer
bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a
RedLineStealer
c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170
RedLineStealer
+ 125 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210627-db9y1r4v1e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Unpacked files
SH256 hash:
9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2
MD5 hash:
9e16bdb0e41a5fea9f946f08c5dbadd1
SHA1 hash:
f68c1ba33035486644a48040310d036bc08bb04b
Link:
https://www.unpac.me/results/0187dd01-9de8-4963-af45-25749a994fe7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1364157/
  
Delivery method
Distributed via web download

Comments