MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
SHA3-384 hash: da7c57227611a78628a43babe57f1a05a970f8b8156749dca5539b1f9b07aba56dbcc2f51c8aeb1b698a68e703e538e2
SHA1 hash: eff0cc10facf05ed7fae76c5d81efa9cb1e1a5bc
MD5 hash: a83da008a50c181d242cdf446df21ffd
humanhash: winter-jupiter-fillet-cold
File name:a83da008a50c181d242cdf446df21ffd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:760'832 bytes
First seen:2023-09-10 13:37:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:HMrmy901k6EO9Ay0s7pgCy+L66GMOxr1LKb8cLlCPVn2VN0u9eKFP/I49cX4dowW:VyCk6D9Ay0s1vxLV1OZ1LyLlM0D0u9ex
Threatray 2'889 similar samples on MalwareBazaar
TLSH T1EFF4129377D89066DCB92B708EF507931F3ABC520D78836B3655895A0CB3B84A93533B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a83da008a50c181d242cdf446df21ffd
Verdict:
Suspicious activity
Analysis date:
2023-09-10 13:37:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e21a17c-2e5f-4ade-9594-37b32617eba6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447728/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching a service
Searching for the window
Creating a file
Sending a custom TCP request
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack CAB control explorer greyware installer lolbin lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64fdc6ba003a02a1c0927b52/reports/d7ee8aec-ea4a-49f2-8980-acb73aaa1a12/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ab1d9b9-fb31-4da5-a3b2-6887faa461e0
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306855
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306855 Sample: TuN7pFbTn2.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 8 other signatures 2->70 9 TuN7pFbTn2.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 file4 48 C:\Users\user\AppData\Local\...\x5361143.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\Local\...\k4336917.exe, PE32 9->50 dropped 16 x5361143.exe 1 4 9->16         started        process5 file6 40 C:\Users\user\AppData\Local\...\x8602746.exe, PE32 16->40 dropped 42 C:\Users\user\AppData\Local\...\j7759286.exe, PE32 16->42 dropped 56 Antivirus detection for dropped file 16->56 58 Machine Learning detection for dropped file 16->58 20 x8602746.exe 1 4 16->20         started        24 j7759286.exe 13 16->24         started        signatures7 process8 dnsIp9 44 C:\Users\user\AppData\Local\...\i1216688.exe, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\...\g5021231.exe, PE32 20->46 dropped 72 Antivirus detection for dropped file 20->72 74 Machine Learning detection for dropped file 20->74 27 g5021231.exe 1 20->27         started        30 i1216688.exe 4 20->30         started        52 5.42.92.211, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 24->52 file10 signatures11 process12 dnsIp13 76 Contains functionality to inject code into remote processes 27->76 78 Writes to foreign memory regions 27->78 80 Allocates memory in foreign processes 27->80 82 Injects a PE file into a foreign processes 27->82 33 AppLaunch.exe 9 1 27->33         started        36 WerFault.exe 23 9 27->36         started        38 conhost.exe 27->38         started        54 77.91.124.82, 19071, 49703 ECOTEL-ASRU Russian Federation 30->54 84 Antivirus detection for dropped file 30->84 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->86 88 Machine Learning detection for dropped file 30->88 90 2 other signatures 30->90 signatures14 process15 signatures16 60 Disable Windows Defender notifications (registry) 33->60 62 Disable Windows Defender real time protection (registry) 33->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 13:38:05 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttptrsynvh4rvdnqozwu3zmwo3ccghwfsdu3hmuuaxtyqdhdlrsa._file
Verdict:
malicious
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
RedLineStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
RedLineStealer
23774dbb2c4be8e348bcd22a396bdd4567ad47acc24fbc65860a8112cadb0ab9
RedLineStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
RedLineStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
RedLineStealer
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
RedLineStealer
a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
RedLineStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
RedLineStealer
+ 2'879 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline botnet:virad dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230910-qxcxpahd69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.82:19071
Unpacked files
SH256 hash:
dbaf00646b7630bb7939d82ceacbb65f270d9eccb62927e66590b63e855f1e84
MD5 hash:
62ed4a23765dc876563ca4ec96a06596
SHA1 hash:
e5fcea229bfb10f19524dbedf8377bff123a382c
Link:
https://www.unpac.me/results/6525fd28-3100-4756-8b42-4fc8eded2de6/
SH256 hash:
675a03a83a6667cdd454f3523fd06da16ed6f8da89181ec08f5701faaab7457d
MD5 hash:
f9e5b02e5739cc922cbb6876c73f8223
SHA1 hash:
33fdd7047963bfc7f332521f89664c9384c8fa9b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6525fd28-3100-4756-8b42-4fc8eded2de6/
Parent samples :
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
SH256 hash:
3fc0e858430c000567660879849bb8ea3c3ed18437e20c5528dd706bbb1faa73
MD5 hash:
cb4bdfd54068ef5bfbde57d9805543c8
SHA1 hash:
7cf0f0a8b143b681f7dd1025987339629d812845
Link:
https://www.unpac.me/results/6525fd28-3100-4756-8b42-4fc8eded2de6/
SH256 hash:
d351126535937b11934d2dfad4d40da0eb984b0f465fa59d65cd79a14ac4b7ca
MD5 hash:
d10cc5bd35d595497785720d2f38bd20
SHA1 hash:
fbf36955883049333a88eff853abccdb8bbf3c1a
Link:
https://www.unpac.me/results/6525fd28-3100-4756-8b42-4fc8eded2de6/
SH256 hash:
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
MD5 hash:
a83da008a50c181d242cdf446df21ffd
SHA1 hash:
eff0cc10facf05ed7fae76c5d81efa9cb1e1a5bc
Link:
https://www.unpac.me/results/6525fd28-3100-4756-8b42-4fc8eded2de6/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cdf38cb0da9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447728/

Comments


Avatar
zbet commented on 2023-09-10 13:37:13 UTC

url : hxxp://77.91.124.231/new/foto3450.exe