MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29
SHA3-384 hash: 9d7990ce1a514f174223d9a3fea75719973cb7578dce6eb460a913bb152b77af181e8ba6f29eba6d67774ca042fec401
SHA1 hash: 48c74a278d91b2512fa848e9e1217190d6cc32e1
MD5 hash: a87b6f6dd35a823bbb58a84214966b85
humanhash: salami-double-zebra-nineteen
File name:a87b6f6dd35a823bbb58a84214966b85.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:419'840 bytes
First seen:2021-06-27 15:51:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c55a6c5b8dc5009c74a01bc124b7b217 (2 x RedLineStealer, 1 x CryptBot, 1 x ArkeiStealer)
ssdeep 12288:679qMnSd30Q7zr5vfVPjUsqKL2sS/YqUq:yEd3J7lfR4sSt7
Threatray 949 similar samples on MalwareBazaar
TLSH 5C94AE00FB90C035E5F621F85E7AD6B8A53CBAB26B2450CB62D52EED57346E0AC31717
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a87b6f6dd35a823bbb58a84214966b85.exe
Verdict:
No threats detected
Analysis date:
2021-06-27 15:54:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c59e6b23-f5b6-422e-a3f0-85027947c948

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Glupteba-9874594-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6935c41b-99d8-48ff-81f2-44e6dc300382
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808579
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 14:14:38 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsyfyiksfj4o46qlfwrftyeo7sd2gaq4x7e5izxlzvikv6oolyuq._file
Verdict:
malicious
Similar samples:
0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138
RedLineStealer
0bcf14216198351151d34d3e6ea6c05bf06c62eee05e15804ba132ea455b3710
RedLineStealer
5c191414da0698605097bec67f7c649c24bd176cdb5c06f83ca213b8b053d4f2
RedLineStealer
6117422892b290bd26bde0e3e1e496451c83d276d098336db9d32dea86c16790
RedLineStealer
63d9527d69c228772ebadb63c1e74d7d0702acac52357fcea08ec5a408ca0453
RedLineStealer
95dc83cadd34f15afa9fd684c6f931a756a9fc5e1cd7e069cf785e309e944a60
RedLineStealer
c1bf7b86768806a3689e4f14be7e98a192bd48d8ac045ba71ec9b3b27b1fdfda
RedLineStealer
f02ed3a78211bd9b91772d2a297e6b34a8171627b0c78b88575ff03c40b70b72
RedLineStealer
fbef875f61027e592a684c32ff682b80d94e95966c42f73a4a04893f876513a7
RedLineStealer
ff43e5ff78c057004608c0595a0d39e06e41ef09ce5be9120eff598a6782c522
RedLineStealer
+ 939 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pudt discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210627-qz8w9fhl66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
Unpacked files
SH256 hash:
d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c
MD5 hash:
cb5fc5dd3ba9fdd7af4b8eecf33f77d5
SHA1 hash:
d2bf6ecc946301c58381a88bf12d74204314b7e8
Link:
https://www.unpac.me/results/d25816ed-8bd8-4b87-8e23-f253dff61519/
SH256 hash:
a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e
MD5 hash:
651e96a0d52076aa5ed2d82739b5c9b1
SHA1 hash:
b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09
Link:
https://www.unpac.me/results/d25816ed-8bd8-4b87-8e23-f253dff61519/
SH256 hash:
e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1
MD5 hash:
d73b577cdc3854b7ba4b09f17a84e1db
SHA1 hash:
0b60823181914658cc07e8629fc9b5ddfcdf1fee
Link:
https://www.unpac.me/results/d25816ed-8bd8-4b87-8e23-f253dff61519/
SH256 hash:
9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29
MD5 hash:
a87b6f6dd35a823bbb58a84214966b85
SHA1 hash:
48c74a278d91b2512fa848e9e1217190d6cc32e1
Link:
https://www.unpac.me/results/d25816ed-8bd8-4b87-8e23-f253dff61519/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9cb05c21522a78ee7a0b2da259e08efc87a3021cbfc9d466ebcd50aaf9ce5e29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1394014/
  
Delivery method
Distributed via web download

Comments