MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c
SHA3-384 hash: c61ba4e921a7687e46daa712b1936330c7ea9919ab32ed22700260401f8166be63efa3de3b7fe3a00bc0e08891413384
SHA1 hash: 0d3eca4ef5534bc114934c34457b2760673d851b
MD5 hash: 0d65458e0d2fba405d9eddf3c5f474c0
humanhash: bluebird-salami-march-hamper
File name:0d65458e0d2fba405d9eddf3c5f474c0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:550'680 bytes
First seen:2022-02-03 13:54:13 UTC
Last seen:2022-03-22 19:19:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd74c9919503d6f89c3c73a9f1208fee (1 x RedLineStealer)
ssdeep 12288:OYDD6XvmNjw7sCX2u4ZZHXynPilyEpEuWHE:O2D6fmNjw7t4yZE
Threatray 201 similar samples on MalwareBazaar
TLSH T172C41281BB15D045CAAA523ECAD39AF27253FDB7FCC5A9D72080BF4A30735D05A07986
File icon (PE):PE icon
dhash icon cfcfc3e19999e1e3 (1 x RedLineStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Kingston Fury Beast DDR4 2x16Gb CK432C16BBK2/32
Issuer:Kingston Fury Beast DDR4 2x16Gb CK432C16BBK2/32
Algorithm:sha1WithRSAEncryption
Valid from:2022-02-02T10:19:50Z
Valid to:2032-02-03T10:19:50Z
Serial number: 1b473c042ca767a741cf0b6cc20e7ad9
Thumbprint Algorithm:SHA256
Thumbprint: 8894a817a58e016adc6c51dcc05f8a181d5f89497495e410a5423f51259479a6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/232207/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fc30ff18d1bfdde4ef313e/reports/4e9f758b-411a-46ac-91ab-026a20a45d51/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e80e73d-628a-4566-b805-fe76601766a8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933370
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 13:55:09 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=veob2olf6ekqtuobcjjbaftlqjfhszipfhvcaomd775v7ciaqwga._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
5cbc602e1850dce976f8f5a33a1b97aed7648f409892fc2a0da0900d3d97bb53
RedLineStealer
6912561e48a62b49018cbed0fda8cdcfcf5afcd16f0a65b49390117b2331ef99
RedLineStealer
7dd43c56ab6c3dd0817b74f7cfd24454a6d622eb37e9dc824a3e57ada642d9ba
RedLineStealer
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
RedLineStealer
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
RedLineStealer
d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6
RedLineStealer
d486573a12a0a407b7ae295318b59e750fb63cd9de6d46cceb2c173ae0b6b650
RedLineStealer
e0453a56a222c1a325d6b9ddc8ce5a692ecfba00664d0e36f9fdad9fde46acfb
RedLineStealer
fb78e43ae17426eb0f2066a30e1eff92116eff495f10f1789f1f69fab3c377c0
RedLineStealer
+ 191 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline discovery downloader infostealer persistence spyware stealer suricata
Link:
https://tria.ge/reports/220203-q74s6aabap/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Guloader,Cloudeye
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
0cc1d9483db4905c2616d16026f90be178dfed0eabbeb06762ab11c66f0fe785
MD5 hash:
dc4bc800c1209fc0b70056dfdc31a41f
SHA1 hash:
c4bdd0e1e05d352bff0eba13f6f1acbb4b2a0fde
Link:
https://www.unpac.me/results/4a9fe0dc-0266-417e-b707-15d4b19c0b8a/
SH256 hash:
a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c
MD5 hash:
0d65458e0d2fba405d9eddf3c5f474c0
SHA1 hash:
0d3eca4ef5534bc114934c34457b2760673d851b
Link:
https://www.unpac.me/results/4a9fe0dc-0266-417e-b707-15d4b19c0b8a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a91c1d3965f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/232207/
  
URLhaus
https://urlhaus.abuse.ch/url/2026548/
  
Delivery method
Distributed via web download

Comments