MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f
SHA3-384 hash:	6c711beec71c0bcab09b2e4fc52906981779e326db7da9b9824da5773eb840c8603552232de023558958e082fd5267ba
SHA1 hash:	887d9c410befdb9d94e000a205e43661b7b40f4a
MD5 hash:	9f583e8f123c17db1efc08daf4cfec4c
humanhash:	vermont-north-william-glucose
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	244'224 bytes
First seen:	2022-11-17 10:59:14 UTC
Last seen:	2022-11-17 12:41:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fa8640a79704fef7deaa607934e0abc9 (11 x RedLineStealer)
ssdeep	3072:vS0rGlPWNC91KAP7wLizJQ7fVIhGwQLCy8z0z1eyt+Bxv8pDkMqO1fVga0Cs4:vSjPULuSNgMkz0z1efxEVk1GVy4
Threatray	1'422 similar samples on MalwareBazaar
TLSH	T1A8349C1BB973A039CD06D0FE08D5D2A1A37C0B316A95D0C276CB0B6F4E315EC59B96E6
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13097/50/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-17 11:00:32 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/1420d363-5076-418f-b951-05d6a218ef42

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/335289/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.29253.17825.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Connecting to a non-recommended domain

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6376143342e3c45b840c1447/reports/eba5005b-8ec0-429e-bfc6-8832218bcc64/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51921caa-a545-470a-bf85-83f8ce81c9b1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1115668

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-17 11:00:08 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twos6jjzb4xp5xl4m5cmwzjxqv3xlx6gwp3sraxwmqjbkapig4pq._file

Verdict:

malicious

RedLineStealer

4793af5e6a701a792d1231a4207b99300825299b23955328972acbfde974e767

RedLineStealer

548e9a18cd3b0202cc2542091ec35d5b72b7966865e9472025b6485bd1dfc7a9

RedLineStealer

54f626a76890bd100e866fefe7daa21b253760d180dd122e99e5cf86c345c39b

RedLineStealer

900340be52f1ec06c16e249327f413454ffb4e5a0df9caf880dee1236f18f8c5

RedLineStealer

b629a616c8b459f587ecfa6507efa841df3984fa0d8525cbdfbec4ba7e66aeac

RedLineStealer

cdcb1cbf81cb108f1bba4e358c632097582efd36f7b7979c553ff1e83b833760

RedLineStealer

+ 1'412 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@madboyza infostealer spyware

Link:

https://tria.ge/reports/221117-m3zrvsac5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.106.191.138:32796

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8a698aca-a413-457e-a238-8e7eeebb62e4

Unpacked files

SH256 hash:

4d13d06d716a80fce5a93547c34cca425473f462ff00a79f7ae1b8ab7db6a5b0

MD5 hash:

7d0bf0ede21d398b4a65e556a1edc433

SHA1 hash:

9174da73bfe26cd61eaad6ae078f11300891db2f

Detections:

redline

Link:

https://www.unpac.me/results/52def83e-0d0c-4993-a4d8-e0c48b80dffe/

Parent samples :

323a424031828737354285bc660d6333754fe9ff077d1214129d598024de8c14
548e9a18cd3b0202cc2542091ec35d5b72b7966865e9472025b6485bd1dfc7a9
b629a616c8b459f587ecfa6507efa841df3984fa0d8525cbdfbec4ba7e66aeac
900340be52f1ec06c16e249327f413454ffb4e5a0df9caf880dee1236f18f8c5
54f626a76890bd100e866fefe7daa21b253760d180dd122e99e5cf86c345c39b
9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f
f02358a4229085fd7b5da0b923b6dc67244099c1da2acf2eb1f696b905b2b7b6
a3db3a64098426a931442a40b114d188f09b4895c54dd5e57e23356c14d85e0d
9ef2d217d94bbd09b8a51941218fb62465801107557be2cbd376263ee27f4082
7e0a00f8d6ce93d96f887fc2372e24117e2b5c425c415842e7b4e8051ac03eae
a5833b3b40cdc6def671953c3a8075b3864e068e1d9b3dde5256380dfa6315bd
b57a603bb9ffb091e81dbad33fab9d7840b56ce0f2584b3168f79e5909dad331
efcc04f8e872488d642bd288dfac2f078d611de316770fde47d1dc9a0e76aa84
9158b433505974c8a6db1f168c19604f60e46ed79f6981d8dbd42d49c1078a98
4709fd98726279f1671ff8486d4dbaa7d475972599d50740ca606248d13f904b
9746de42e598888d36496f78c8cdb7145db4fa524ab4fa924ce7e2d19480731c
2f067abf432e132947018cec390ed0a6a552a32f77bdad852d1adb75266c2e58
d99b7f70d1451c0ac595420b2fe983ecda625c47575ee4a24e786dc440626a55
55b090bf222bcc1520d72defa7cb7f93b78909fc77c261151a25a2970d0a5cbb
328d1ecec81fbe3bb0d9a76226fd8d7f555c0dc6a4107a05428fe27c2869fbbd
b50afa7b5584104dd0f93b85a448feb12c14a7f10b256071e47e90603b8b6280
415429a768dcd1d4a24bd7781f16f7814aabd7f6aeb6a5fa312218bede547160
7ca931c4fdd7c8f42528877186dc718896508c98d2cb7346a956af2f7ad26a3f
b8eae4aa0ba655621dc231943e732fa0d5399a4a255b7b6652d06275d3d2f4ef
e9cbe3213f2d0d3fbe2d69e387de540abb36946b92a6aaf62b9d8c3f702dd947
a444b1d644cef528fcdd3cf1ab763e2aaadf794b64b1eeb960679766bae92c75
762d455a078d13b6b89bcce46db81dd3e755055bf499e856911fe542c7fd8d83
b3e14be741aad18d69038dfff3faef9f99a0974df8d7032fdab383a30cadbedd
00b6ed886450dcf28adc280a58a6e00c3176fd14c0fe216d95fd6d18b9471556
200bb7cb4ff972ed61d1f4d6b2893dc611e8aa1005bbba8b28d1b7e56f6677f4
1c1b1d19e8811b999d628b5af81dd2bc87e8da7d9339b97af4511346b4d6ea3b
4268a707cdc42b0b2543831ff435c280efbab5dc7424bb519bc9a1f3ffaca9a0
22932ac12c61f7ade37d16a82ad02d08259263020f4a465d15f2830fa03df12b
55bdc0f9d7483995f5ec82f3bb8d528815cf80cdc1a35dabb674e4abdf25ed1c
74d80d553297cc9c8d4ef2429d304d22df0f704010c897843e09bd80354c2646

SH256 hash:

9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f

MD5 hash:

9f583e8f123c17db1efc08daf4cfec4c

SHA1 hash:

887d9c410befdb9d94e000a205e43661b7b40f4a

Link:

https://www.unpac.me/results/52def83e-0d0c-4993-a4d8-e0c48b80dffe/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d9d2f25390f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d9d2f25390f2efedd7c6744cb6537857775dfc6b3f72882f664121501e8371f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/335289/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample