MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA3-384 hash:	bd458446c1872088e626fd52943c96a264a62ce5807ac0f9015ba553f2c2c2810e6406caaddc2c3e14db0b661d712b97
SHA1 hash:	73a175bbf684f85881b6d27d3551d0d6e734d6df
MD5 hash:	d852aed84489b36f5d6b0f6a075cafd6
humanhash:	mobile-grey-dakota-seventeen
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	370'176 bytes
First seen:	2023-10-16 23:42:27 UTC
Last seen:	2023-10-17 08:18:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8c347d587a6b42414b9cc837958b02c5 (20 x RedLineStealer, 3 x Amadey, 2 x Formbook)
ssdeep	6144:vaK3l99cV4E8OO2skVb6H408dLt/bX6MqzrxJqR7rwYxnd:CK199Gp6D8dLt/bX6MqzrxU7kYxnd
Threatray	68 similar samples on MalwareBazaar
TLSH	T107744B087FEE8652F5BCEA71020069268BB8EC35BB276C872694D757ECD53D0C42E359
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455066/

Detection(s):

Win.Trojan.Pwsx-10011340-0

Result

Verdict:

Malware

Maliciousness:

Gathering data

Verdict:

Suspicious

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/652dca87a29a700213a3eec5/reports/8effbdc2-70c2-4615-898d-eba5abb7fe0e/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/18865d58-1fa7-4b98-8da7-6063607a3881

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1326919

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274/

Threat name:

Win32.Trojan.Whispergate

Status:

Malicious

First seen:

2023-10-16 23:43:05 UTC

File Type:

PE (Exe)

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tuparcjmcquj3w6jm3m7dwqsynwz4inszcadkmubtyhajdcmmj2a._file

Verdict:

malicious

RedLineStealer

1e39a11203193be6c4ca338e7eb39030b173ae0ff1dbb86eb713f9341491b8f2

RedLineStealer

3569a55078d704f3753a1b150a83277818c8ebabf3a1a4af3d3fb60e58f3e333

RedLineStealer

4be2c4ea4b6bb5b51c6ee2e61db1ae6088c1e2af1ecc79ebc3d6a175d470f24e

RedLineStealer

9b8f841c5ff40a9d666abf80599758fdf496eed6b7cc6adad1a46e6ebb75c3d8

RedLineStealer

a84f6a0fc98e24ae54dc5cb8a0a32f370fb90063e9caafa2a43b1d3f8dd34c5f

RedLineStealer

a963e7fae47ff5c70a6b2c0133e68a91615dc71a5aa4f57f49789f5b3171ebb9

RedLineStealer

b2c483445d4d5fc2227c8a2026c4c6febe05cfbe0472df7e91d95232e7617b39

RedLineStealer

d0db4bf4979a4573a9933fec9f93616520592172dce856c8f648c2fa94c10f35

RedLineStealer

f0067c9e274316a8c85f026c247d1daba46d98bbe0e1513d5e672eaf3267fd79

RedLineStealer

+ 58 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build285 infostealer spyware

Link:

https://tria.ge/reports/231016-3qkp6shh46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.169.175.232:45451

Unpacked files

SH256 hash:

4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02

MD5 hash:

281cdc7e284b96011624acded1859799

SHA1 hash:

af8e34c4c7708547c8f2d35a13121c7a9d6fcd20

Detections:

redline

Link:

https://www.unpac.me/results/8616932b-226e-4e92-9c41-898ffeb0fba3/

Parent samples :

399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d

SH256 hash:

9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274

MD5 hash:

d852aed84489b36f5d6b0f6a075cafd6

SHA1 hash:

73a175bbf684f85881b6d27d3551d0d6e734d6df

Link:

https://www.unpac.me/results/8616932b-226e-4e92-9c41-898ffeb0fba3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d1e08892c14/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/455066/

URLhaus

https://urlhaus.abuse.ch/url/2706937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample