MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9
SHA3-384 hash: 12b39ab433e0ba82a7848f9e964e9934f8afc68b7498ed57f5f9fec4658c82e987b553545f535b4d8b3ef7a3ab6769a9
SHA1 hash: 33244efb0b3eb482b1bd97f70f6d9f4a258b3b81
MD5 hash: af42e89b8f540434cf710976e8991058
humanhash: king-batman-yellow-eleven
File name:af42e89b8f540434cf710976e8991058
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:394'752 bytes
First seen:2021-07-07 14:59:55 UTC
Last seen:2021-07-07 15:48:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c9b4a6ea51ade86685cc7cb33cacbc0 (2 x RedLineStealer, 1 x Stop)
ssdeep 6144:nhTlosCVUXUbL0GHgkZqFZGzz5lISEm3d381xveYXypwMM+zP98xdYFh4:nh2iUv0GHgkZqFZI5iC0zKwM1T9+dOu
Threatray 1'014 similar samples on MalwareBazaar
TLSH 73849E11FBA0C039F2F366F45A7A93A9653E7AE15B2490CB52D02AED1B356D0ED31307
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 14:29:53 UTC
Tags:
evasion trojan loader rat redline stealer vidar phishing
Link:
https://app.any.run/tasks/1dc732fd-e1a8-436d-9650-1f00b1ceb383

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170217/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.32614.8125.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e600f1d2-1675-4563-9b33-4438b1b7768a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812953
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 15:00:44 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttnjrge4hne5uvlgyi3sfzjcghwpewju4exidqe3zbctcl3kq3mq._file
Verdict:
malicious
Similar samples:
0e6c5ac15534b9259e68d664d931f7ac4f06fc6dc01e87f1307716e37d46f07f
RedLineStealer
0ffa9641556c11890735aba122f4ebf94370fb4aab8c613f5025df7559214f51
RedLineStealer
1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364
RedLineStealer
163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311
RedLineStealer
3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1
RedLineStealer
43a38e0f15c22a94dec67acce84a2cbed685b8c58014ee4a432dad8f9e550a7f
RedLineStealer
4955fdfd3badd730cd26c71a8804d57a38310b8cd1981397c00db1ea24e14507
RedLineStealer
5640e973edefbcd5f30f0be1c1f4af39b138a70437c578bebb09bb790f3564ba
RedLineStealer
8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643
RedLineStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RedLineStealer
+ 1'004 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:new discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210707-vqrrsyx7y6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine Payload
RedLine
Malware Config
C2 Extraction:
qurigoraka.xyz:80
Unpacked files
SH256 hash:
0ca52e3643bf8d6c3220c3a1ab4acee8bc2d2190e4243484f1850a0d5cdad505
MD5 hash:
59592001c2e72fccd3ba26e06b41a38d
SHA1 hash:
ca6a9cf02fa7b97abc7968aa3b93f2a36e25b9f7
Link:
https://www.unpac.me/results/030a72e2-2750-42ec-bac1-c29d42499d35/
SH256 hash:
f6053057922a41829065f9055ad0fcbe99efbaac2bdec9f3e50daaa9076ea3a8
MD5 hash:
b1c425e0a02520b5c23e6742c2ab17b3
SHA1 hash:
8a7b40703b331b862d62decb8f11e13a5819a922
Link:
https://www.unpac.me/results/030a72e2-2750-42ec-bac1-c29d42499d35/
SH256 hash:
0f92d07d858b03c8f8c2fc2beeff74c5b77fe46bc30be9710d78c9298b004f17
MD5 hash:
49dc3437674761aad340ceca9d334b17
SHA1 hash:
33fd48cd916df2e3e15e29ee02d43b2c4a01ea29
Link:
https://www.unpac.me/results/030a72e2-2750-42ec-bac1-c29d42499d35/
SH256 hash:
9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9
MD5 hash:
af42e89b8f540434cf710976e8991058
SHA1 hash:
33244efb0b3eb482b1bd97f70f6d9f4a258b3b81
Link:
https://www.unpac.me/results/030a72e2-2750-42ec-bac1-c29d42499d35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170217/
  
URLhaus
https://urlhaus.abuse.ch/url/1424948/

Comments


Avatar
zbet commented on 2021-07-07 14:59:56 UTC

url : hxxp://136.144.41.201/WW/file9.exe