MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876
SHA3-384 hash:	7b7eef3bb5fc23cabb503b0eddaf65b81d7b65b8bfa3885f9599f0e5a1366c90a21f93644f282d5ca0ea338d99808293
SHA1 hash:	16971717727904a72a5e28aaa2880f742d0da251
MD5 hash:	e7f1d6295c544b22d81541c7b379f035
humanhash:	georgia-october-thirteen-india
File name:	RedFlame.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'447'360 bytes
First seen:	2021-09-11 10:37:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:65qB8JgC/rarwYAkZXXV827q4dm3EdSPxy7TNhdxCzVlQM5JEkPHbx2ewUStI:uqKWor0fXlV7xdm3EEPqZh763F5lfV2Z
Threatray	5'784 similar samples on MalwareBazaar
TLSH	T1DAB512D831D8BD8FF3875970E24309167108EE53D73B8260385EF7D2AEB60B9960695E
dhash icon	18b2f06171dccc64 (12 x RedLineStealer)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RedFlame.exe

Verdict:

Malicious activity

Analysis date:

2021-09-11 10:40:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/00c23e83-8a0e-4293-989e-10be2f20e08c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/187051/

Detection(s):

Win.Packed.Razy-9883428-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

Connection attempt

Sending a custom TCP request

Launching a service

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37d9aa05-cb01-4675-bfc4-df00a941ea56

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/849136

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876/

Threat name:

Win32.Packed.Themida

Status:

Malicious

First seen:

2021-09-11 10:38:11 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

1/5

Verdict:

malicious

RedLineStealer

12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba

RedLineStealer

25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2

RedLineStealer

28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330

RedLineStealer

a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2

RedLineStealer

bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097

RedLineStealer

+ 5'774 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/210911-mpdx8sbcf4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/2c52599f-cdb4-4fda-9bc5-033a83c4be6e/

SH256 hash:

9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876

MD5 hash:

e7f1d6295c544b22d81541c7b379f035

SHA1 hash:

16971717727904a72a5e28aaa2880f742d0da251

Link:

https://www.unpac.me/results/2c52599f-cdb4-4fda-9bc5-033a83c4be6e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9ce97b2a2485/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187051/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample