MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a789b41c36147d03dbc7584dbec1e8f4ca2b14880850d58073f8792bfd7d2719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	a789b41c36147d03dbc7584dbec1e8f4ca2b14880850d58073f8792bfd7d2719
SHA3-384 hash:	fe30e51cae2bea9e2dd0ac7db44beaf547ff2ad6d8135b3e414f6c9fa55957468be8fe241144c50bf4285f934620cf1e
SHA1 hash:	af7b1899e0eb230ee6bcab51abf8a5c9616b9796
MD5 hash:	352d46077ee0a11f7e28ff4267a9894e
humanhash:	ten-jig-kentucky-island
File name:	rrmix.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	454'144 bytes
First seen:	2022-05-17 15:56:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e36ddc5cc0b62f12e4e1132bd94da19c (9 x RedLineStealer, 3 x Smoke Loader, 1 x ArkeiStealer)
ssdeep	12288:3Q5U06d381dVsMoUyjreiFi3C07hSt+H6ooaTnK:3G56udmMoUyHeui3zdI
Threatray	5'825 similar samples on MalwareBazaar
TLSH	T1B8A49D00BB60D434F6B712FD4AB9C2A8753A7EA15B2451DB12D53AEE5E35AE0EC30317
TrID	39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter	JaffaCakes118
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

rrmix.exe

Verdict:

Malicious activity

Analysis date:

2022-05-17 15:56:19 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/863bfd93-b216-49f8-95f5-648e706607f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/271715/

Detection(s):

Win.Packed.Generic-9950062-0

Win.Dropper.Stopcrypt-9950158-0

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18394/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6283c6056b2a366ce418f162/reports/7279a481-c96a-4ad6-8969-9eece70e0286/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/564cfc54-e1ca-4a6d-9948-ca342b08cf7e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/996013

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a789b41c36147d03dbc7584dbec1e8f4ca2b14880850d58073f8792bfd7d2719/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-05-17 15:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u6e3ihbwcr6qhw6hlbg35qpi6tfcwfeibbinladt7b4sx7l5e4mq._file

Verdict:

malicious

RedLineStealer

58ee001c59bb304083f104532c86735da59c40afe37cdf8d454a4c0d85ded33a

RedLineStealer

5ce932383439ff73c074893f040380801b621b1127231a05a45a174c3b57fb9c

RedLineStealer

6531340e88093ba2b74d9ef802b149b66e731feb806dac007a0d2c3277394762

RedLineStealer

6f3967920fdd11537dbadfbe9cb89bb3005469992fa0f16b724ff2758f42969f

RedLineStealer

78b91f7023a618741537ebb2263b4803086d9b12553225c7389232cc2f8452d9

RedLineStealer

81c52d656c6138fe9c3081a70bf1e9c67b398b99b2b93462330cbe39a27ae86d

RedLineStealer

e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e

RedLineStealer

e82f3e37c73592bf7e6240391521edc13cdf43628807cd2f722c229bd962e086

RedLineStealer

ebc052ea936b31dbde5f38163c6ba2912227b90e285c036d1a910dfcae96524e

RedLineStealer

+ 5'815 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220517-tdxdrsece9/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

eb26648f1e6b0a2e1e0a88021c0b7ab62c687c1cae6d2b1760b1fbceeb2408ad

MD5 hash:

db9077526b3a3ff8749657c6b1b329d9

SHA1 hash:

6aba8f1763291e88783cb992a5e44cfca0881df8

Link:

https://www.unpac.me/results/8431c125-a079-4701-b086-13a0b7612b67/

SH256 hash:

588f4411103884021efa84dee24dbe00effadfe358250d0fec5fb02e6dda6d96

MD5 hash:

3e52defcd4517fc3a5c4f65226a3004b

SHA1 hash:

65e96cb9495b34e897bcddac3ef3450089f19d83

Link:

https://www.unpac.me/results/8431c125-a079-4701-b086-13a0b7612b67/

SH256 hash:

8bb0caa8f111512d3ebb4c5f427f287a8e69c7b465fef0e46e5741c7489a3d3e

MD5 hash:

b37cb4b6fd8f51e3f8919135227e3d0f

SHA1 hash:

4edea527bea1443ee4f51a5a612ac85274177992

Link:

https://www.unpac.me/results/8431c125-a079-4701-b086-13a0b7612b67/

SH256 hash:

a789b41c36147d03dbc7584dbec1e8f4ca2b14880850d58073f8792bfd7d2719

MD5 hash:

352d46077ee0a11f7e28ff4267a9894e

SHA1 hash:

af7b1899e0eb230ee6bcab51abf8a5c9616b9796

Link:

https://www.unpac.me/results/8431c125-a079-4701-b086-13a0b7612b67/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a789b41c3614/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a789b41c36147d03dbc7584dbec1e8f4ca2b14880850d58073f8792bfd7d2719

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.