MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9daf2f75a905c746b60396ac3a2842d8f9936c3d93f33d73d55484a78667bef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 8 File information Comments

SHA256 hash:	9daf2f75a905c746b60396ac3a2842d8f9936c3d93f33d73d55484a78667bef3
SHA3-384 hash:	6e553736eb3d8a27e899884db2fb1fa604e9525bd9522c10ced4bfee39fbbf4547acb91bb3e05ed75c1c68e0c5df7106
SHA1 hash:	d7e2c32559e0b9a665644da9f1db095ddebc79a6
MD5 hash:	3e1b8bdfa86763f319ad8a6fdd592aa7
humanhash:	finch-april-beryllium-autumn
File name:	3E1B8BDFA86763F319AD8A6FDD592AA7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	160'256 bytes
First seen:	2021-08-03 20:11:44 UTC
Last seen:	2021-08-03 21:07:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2c35996aa925d581769eb5163b32945 (1 x RedLineStealer)
ssdeep	3072:OT78OUMe08RshqMwR8Dv0nd5nIUYMmYJpIFqp+W7KxB+ptomKz0AmdoigQ0T:o8O0P99d5nBmYvOqp+WO+LoigQ0T
Threatray	950 similar samples on MalwareBazaar
TLSH	T124F36C42CBA25241E4631B3CAB3E5F6583267F321563E0771D861DECA61A9E79C20FD3
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.89.230.42:5461

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.89.230.42:5461	https://threatfox.abuse.ch/ioc/165615/

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://mega.nz/file/HFgFUa4Z#5rkOpq6AtAO0VyRtQ73Uo33BMXDHh6DAa2izJo-9uhg

Verdict:

Malicious activity

Analysis date:

2021-08-02 06:28:04 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/2f9fec80-a4b2-4d8e-a0cc-2ed2bdd8f574

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176177/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46724370.31837.29582.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e27957c5-b40e-4e7f-b777-2508a805974b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/826510

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9daf2f75a905c746b60396ac3a2842d8f9936c3d93f33d73d55484a78667bef3/

Threat name:

Win32.Infostealer.Reline

Status:

Malicious

First seen:

2021-07-31 22:27:15 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=twxs65njaxdunnqds2wdukcc3d4zg3b5spzt246vksckpbthx3zq._file

Verdict:

malicious

RedLineStealer

05f8f63c8d350131b7d462363a1f69e73964604e5db4ce982f81a6db4c871faa

RedLineStealer

2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b

RedLineStealer

345ab0139a94ac9aa2c07ecb0ca7e8896bc0ebb735d81d318b7fc8364488fbef

RedLineStealer

50641b6873076f461c03ebb7937514a2d4a5d494a5143492ad6b8b22131a2190

RedLineStealer

5551014543bed9e2f9337ed423533fff41d4223a294efbd0fde6bd95296adc71

RedLineStealer

a9413d0e72606171e933d573c31949d552662e4bb62461b12840ab6c8e008c6e

RedLineStealer

c44f4f19f854e3a7312d262f8225024d3eb235fc580f4175ab923a4acd0231ff

RedLineStealer

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

RedLineStealer

+ 940 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dambar infostealer spyware

Link:

https://tria.ge/reports/210803-x3xcqn2l7n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

80.89.230.42:5461

Unpacked files

SH256 hash:

f2287ccd30083c33450115c1574a06cf1ecc4529d4107bdc5a9c1785763d45a5

MD5 hash:

99bb9fa7dc165b17143337266ef6be3b

SHA1 hash:

f674e5e5ba23a271fc3b66755381caf404a4aa78

Link:

https://www.unpac.me/results/34140ae1-ef82-4a5c-bf49-4110a86af301/

SH256 hash:

9daf2f75a905c746b60396ac3a2842d8f9936c3d93f33d73d55484a78667bef3

MD5 hash:

3e1b8bdfa86763f319ad8a6fdd592aa7

SHA1 hash:

d7e2c32559e0b9a665644da9f1db095ddebc79a6

Link:

https://www.unpac.me/results/34140ae1-ef82-4a5c-bf49-4110a86af301/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9daf2f75a905c746b60396ac3a2842d8f9936c3d93f33d73d55484a78667bef3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176177/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample