MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969
SHA3-384 hash:	dd3b3e0598d1b272423ec6ca63a9dde56debd9b35dcbee049044b17266341d83ae0d73fc3307e292bb2e34223e8fe2e8
SHA1 hash:	07110069bbcab9c370d67bc133693bb7125de77a
MD5 hash:	2d465f705ab0d5c94621bb2efc34e309
humanhash:	eleven-uncle-oxygen-lactose
File name:	2d465f705ab0d5c94621bb2efc34e309.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'519'776 bytes
First seen:	2022-03-03 09:02:02 UTC
Last seen:	2022-03-22 19:16:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bdcfbd355ded2508ece8f7e349dd7c8c (1 x RedLineStealer)
ssdeep	24576:GqnOJ/ZKBn/TliaIfs1ZxXUgzEHVINrxPSDemB:GqnFLlxIqjzFrxPx
Threatray	282 similar samples on MalwareBazaar
TLSH	T142657D0122F5E07AF1F31978912B42688F13BC5555B6840F3F3CBD6C2B76E45893ABA6
File icon (PE):
dhash icon	8c1733737333074c (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246812/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c9f429f6-cfef-4ef5-b7f5-661f75a7a7d4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949827

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969/

Threat name:

Win32.Trojan.ObsidiumStealer

Status:

Malicious

First seen:

2022-02-24 11:09:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

0cba0f9dafbb15b07c0e8b87ccd3ea7c306198b67dd480c42aa822c0e51ad2e8

RedLineStealer

225c95e3a8aeecea3e461ba3412047f6f456fc2dcf62a0b4bd5b52447817cc0e

RedLineStealer

3946c0e38ab1b245e4d7b1774128f63c4209bb30a5f7ec2301575a5f2c93ee76

RedLineStealer

7d45f54744ff5c0cee3b3053ce2173a115251862eeba050b429ea911f7c36296

RedLineStealer

ddceb69a1686ef3d8ee4196a380592b3a881e8a3e39a055a6db0930619f05bbc

RedLineStealer

e3cf84cf7f8d85d334d107e4fda6a98b021a8d004ef88708957629d0f10be5fe

RedLineStealer

+ 272 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220303-kzf48saba5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/16c30d7a-fd34-4868-a47c-8cccd8d2ba48/

SH256 hash:

a4cfddaf1d8cf220c38810adb603177fc856af0e15818201918c58f303b8c418

MD5 hash:

b7f1de123d073af15bd8eca616104329

SHA1 hash:

356874e2afb68b3f79b63464d3604b269027af3d

Link:

https://www.unpac.me/results/16c30d7a-fd34-4868-a47c-8cccd8d2ba48/

SH256 hash:

aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969

MD5 hash:

2d465f705ab0d5c94621bb2efc34e309

SHA1 hash:

07110069bbcab9c370d67bc133693bb7125de77a

Link:

https://www.unpac.me/results/16c30d7a-fd34-4868-a47c-8cccd8d2ba48/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/aa9cee19ccf7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe aa9cee19ccf716d1b4f552ebff91542776e2b17b9a8b4aaf5b1a99ac07771969

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2072906/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/246812/

URLhaus

https://urlhaus.abuse.ch/url/2073428/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample