MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3
SHA3-384 hash: 06770c1e12844282496866c898cff980c58626b804aeca2523ef49f4093bdeef4d8702aa8ab2c8cd9aff5fb459179ce9
SHA1 hash: a86945efeafeaa49a0b107f470ce48b2c960f683
MD5 hash: a3d6dc6e0de4e3c03ebb39d50f25a34f
humanhash: potato-yankee-fourteen-snake
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:830'464 bytes
First seen:2023-04-12 17:43:16 UTC
Last seen:2023-04-12 18:18:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Xyr1ymaPEQ3OSuzqHu2F9ohQWL/mplKpQ47sJgyHxM:XjMsJWE4qB
Threatray 7 similar samples on MalwareBazaar
TLSH T120058D2C19EA4611F07DD7758B704030A3B1FAE7FA29EA1CDCD341891A62F81B99176F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc791620691_662132849?hash=ljtc1m7tmkYeXoHEqg1HIGwqYZ0y9gjv77ig9Ot4KIg&dl=G44TCNRSGA3DSMI:1681315096:rtz1bidM0pbv2V0ZnTpRnrY69ESs4ZT6uRcDjS7QE4c&api=1&no_preview=1#qw10

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-12 17:45:45 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/6c8c6746-3ce2-4ba8-a833-696ff28fc56e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381866/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.692.13103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6436ede359a1287810bbf87d/reports/b94e990f-545e-4c24-9754-8c4160be1c45/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0660dbb1-ad28-4d53-8aa7-4d305a3e5437
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212769
Signature
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 17:44:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3baplsignvvp4dybqhdkbdjfzjy4vv53o75htbigxi6ftbd5hrq._file
Verdict:
malicious
Similar samples:
16c5838cf7bc790900e29410387a62432144dd69f95e4835e8a1127193d544dc
RedLineStealer
3c53c9fabd1631125c5d295d22f5482ae226cf0bb34bc3de88e530b72347fc88
RedLineStealer
4ea4b6cbaf98b2304459db08764763ee79d1c386588e67e85b23ebed57080053
RedLineStealer
623cb799efc758a9e1de46b7c5f209781e3627a11b06b9aac676e21a6363d71e
RedLineStealer
8e57f4355c28fcb5fba9768415171d9499a24e960de241dedd246e8beb1f0d62
RedLineStealer
b538f36452294a608712507dba867ee7667241daf9cd59758bb21481c84e5232
RedLineStealer
fbeeb6a35eb0525ad3f6ee6559833b6dc2bd314032f26e006e597c4fce614718
RedLineStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230412-wa5xvadh52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
523dd88a30def67dd7a7dfa61f3e634c9bb85ee4f7132671a78053fe9f311bcd
MD5 hash:
c080249289bb4c6f21a83a3c8a651242
SHA1 hash:
bf009a50c726f57c510ba810c7df5a3c2c26bb4b
Link:
https://www.unpac.me/results/93158045-65a1-4b59-9817-7f5c125e9ac7/
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/93158045-65a1-4b59-9817-7f5c125e9ac7/
SH256 hash:
e8bf496d0a3c882cf493ab5ac9eb278ed8f958d04df979aa3020567196fe59ee
MD5 hash:
126a2763f0a5a27e53dd5460be1eaca2
SHA1 hash:
041946ec53b1c5bf0679cf1db73fb00ff32d6b56
Link:
https://www.unpac.me/results/93158045-65a1-4b59-9817-7f5c125e9ac7/
SH256 hash:
9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3
MD5 hash:
a3d6dc6e0de4e3c03ebb39d50f25a34f
SHA1 hash:
a86945efeafeaa49a0b107f470ce48b2c960f683
Link:
https://www.unpac.me/results/93158045-65a1-4b59-9817-7f5c125e9ac7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ec207ae48336b57f0780c0e3504692e538e56bddbbfd3cc2835d1e2cc23e9e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/381866/

Comments