MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927
SHA3-384 hash:	02e70d1f0567afabf9be48c602f5486ea61d3440b8506072b0cabbcf50cfe6852c25d6852cc2c393aee6554ee17a6a84
SHA1 hash:	5b142fdd633ee1f4819a98a49d6c9867f5638d32
MD5 hash:	a9ca2564b8ba4c5a328adb81bf8f2f67
humanhash:	venus-stairway-grey-cup
File name:	SecuriteInfo.com.Win32.RansomX-gen.3899.30061
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	358'912 bytes
First seen:	2023-07-23 05:27:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cfbfd8ca3fe61cf1ac99b7bb15f4a1e5 (4 x RedLineStealer)
ssdeep	6144:OlncTahBlE2FGKHxkHpBK/ojJqVIWGEirMkipfjZ8VmTEi4/B:Snc+XlE2xGHpAgNqWWG3yp188Ej
Threatray	170 similar samples on MalwareBazaar
TLSH	T1B774E111F3E0D073D0A7957055B4C7A01EBEB822A77995CB37982A3E1FB06C05B753AA
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4505/5/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	8494160480889820 (1 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Win32.RansomX-gen.3899.30061

Verdict:

Malicious activity

Analysis date:

2023-07-23 05:28:30 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/5aac3ed0-344a-43e6-95fb-58077e059f74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/429485/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.3899.30061.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64bcba62e179a8163b7d9946/reports/70920d80-dd01-4f6f-90e4-24618b243931/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ea73e796-7e78-409e-a43a-830caef3ed3e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277847

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-23 04:38:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ttfyioc6luor5ukqf7r6ajypk22yhc2wqk55cvf2e4agqrtd3etq._file

Verdict:

malicious

RedLineStealer

0c5d1c2c1f5bcb910d25419e87349bce28055b67de3ef6bd1e511a6b17290fce

RedLineStealer

152a044d6ead756bf25102941ae5347d21c1eee29811dff7ac86c216d430745b

RedLineStealer

3d9868ef3b6c60ebe9ef766672923f57253ac74cd5bc2592e2d62bb984b5f95d

RedLineStealer

572e60bad91adcc0711b6c93408bc73812d05a7485b0f2a5125f4e3af19dcba0

RedLineStealer

75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690

RedLineStealer

7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962

RedLineStealer

8359a347a41ef75b7a1591d2bd81372d24e25aab079e08ab7185bdbb0948955c

RedLineStealer

8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0

RedLineStealer

+ 160 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230723-f5z23sea2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

Unpacked files

SH256 hash:

fe2e6f04b777ad58b3aa60f3ae725613f850cd7f33c1b5cf412b3834289eb4af

MD5 hash:

00981eed9a174d47add5c077be3ce7ab

SHA1 hash:

ff8a981a094b4c5cea1be6671ede01e1f1e6c5fb

Detections:

redline

Link:

https://www.unpac.me/results/52fdf95b-eff8-4e56-b08b-d89acb74d12a/

Parent samples :

5fc3742d0cfa7687a674e7f209178ca2a50e08ba963f3d09d51550ca02b03d0c
6105816824582f328f8f6b7a9ee5e55cb8af62a0a2e114467136ee5ea9c6f2d9
6c1db78d78510a26869a0c1719396ec0151beb97ed7aa868d2bba9094d670565
127b541a7b46de5491b561efecdfa61b1ebfa655a80d19e11d0a09a0a9733f53
9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

SH256 hash:

72f33a98e88d0f17816c1ffdec17f74ed3b45582e7bfb9a7a97badde980a5583

MD5 hash:

c37db513789ef0b2e4cb7b5c613e2045

SHA1 hash:

fe22e822a3992e9e3fdb58d089b851a093c9a280

Link:

https://www.unpac.me/results/52fdf95b-eff8-4e56-b08b-d89acb74d12a/

SH256 hash:

95fd90ac54a23cc58162f72131d28c710e165286c3d42df4eec8a60a4cdc524b

MD5 hash:

741eb59c0a7d6e51ad6204088662709e

SHA1 hash:

d1270e8a99f43a1b1bcff9ee293472513c9db28e

Detections:

redline

Link:

https://www.unpac.me/results/52fdf95b-eff8-4e56-b08b-d89acb74d12a/

Parent samples :

SH256 hash:

d14a6bc260e69c17d5116aaf1550add0073a4530b12b74e5aff401cc7dae306d

MD5 hash:

d2f632d0f06158afdb609edc4cdce942

SHA1 hash:

adfa06207dc106a83b68bd958e5300874cc896cf

Link:

https://www.unpac.me/results/52fdf95b-eff8-4e56-b08b-d89acb74d12a/

SH256 hash:

9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

MD5 hash:

a9ca2564b8ba4c5a328adb81bf8f2f67

SHA1 hash:

5b142fdd633ee1f4819a98a49d6c9867f5638d32

Link:

https://www.unpac.me/results/52fdf95b-eff8-4e56-b08b-d89acb74d12a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ccb84385e5d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ccb84385e5d1d1ed1502fe3e0270f56b5838b5682bbd154ba2700684663d927

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/