MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8
SHA3-384 hash: c70587260e149b8b849427c29e8c83411673edfb780ca9e7af9f60c93530b2e608b1cafd604d4f38fe9f72a5ec9e54c5
SHA1 hash: 9d6c99ce36c3afece456f15e4ed48751280fb7b1
MD5 hash: 012fa955d04acb74b6ba50647494cc9d
humanhash: monkey-jig-apart-burger
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:320'000 bytes
First seen:2024-09-10 17:34:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:enDlmBDRJ28dVJEwYFlFrHdOxyXbfyfZV4xpAVzk3HFn6XCcTPxZQdLs2x:eRwDldbRYFlFrHcxybfyfZV43AeFYL5g
Threatray 7 similar samples on MalwareBazaar
TLSH T18C642315E77011A7FBAB3B7294027772328AF2008DE6EFBC29E541057C62E956432DE7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/yuop/66e0794cb9ebc__PORETYNOJEMcrypted.exe#main

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-10 17:37:44 UTC
Tags:
stealer redline metastealer evasion
Link:
https://app.any.run/tasks/04eae52f-1a36-4979-9c0d-e77ecfa8d1af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-10035189-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e0834a76bc4542b0495db0
Tags:
Generic Static
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66e083493217f3984dd00311/reports/71fa292e-7b0a-4bf4-8085-4ef467a98cb2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08ee279a-3cf4-4bad-a9de-cd3e674f7623
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508868
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tz2e456q6uoxud4ydjvcesv2l6polkdgtcwqtd4iyof67fk7ehma._file
Verdict:
unknown
Similar samples:
8eb8822fcff05d89036329669bd654ca07ac68acbe7266d62223e2b5ad9eb67b
RedLineStealer
aa5fda8f2d38bc9f1f856b13235ba827f26d580e284675c89381197f283e1e77
RedLineStealer
abca40b38e430b2eca2c726dfbda0179abc347028f401bb3ddc143c293e218b5
RedLineStealer
daf4e8849a3b6011bff41cc2c7decee8c769a4ebf2be3d7316930f40448ddb25
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@poretynojem credential_access discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240910-v5z5eawblm/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.215.113.22:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72058848-073c-45df-973b-6deb9a9d3b0d
Unpacked files
SH256 hash:
a5b8249c787ecf9e2f54afd0429e83b000e8cc3da6b71e86e473e7720100679b
MD5 hash:
96e079addf3510dd7dd3b1b8a2b75575
SHA1 hash:
0e2940552ef029970cd7ffacfc850edb841b4c0c
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/8ebb933d-a8ad-4034-88da-16b9c1980770/
Parent samples :
5d06ec15c9349e9ae13d477fdab3d1a50b9bf784a726aff3a48dbcd5f99e493a
9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8
SH256 hash:
9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8
MD5 hash:
012fa955d04acb74b6ba50647494cc9d
SHA1 hash:
9d6c99ce36c3afece456f15e4ed48751280fb7b1
Link:
https://www.unpac.me/results/8ebb933d-a8ad-4034-88da-16b9c1980770/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e744e77d0f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9e744e77d0f51d7a0f981a6a224aba5f9ee5a86698ad098f88c38bef955f21d8

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3165846/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments