MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b133d412502ab9654837fc898e800503003bdda51480c711838a381aecb99942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b133d412502ab9654837fc898e800503003bdda51480c711838a381aecb99942
SHA3-384 hash: 28166f7b2a1fef7743304a587611086e26a14403e6f6db5b18dfe900781b3020755da81fe5c7ea954a85274da0a3d67d
SHA1 hash: e4616c03e84a6ec43fa8744559442767ce414dc6
MD5 hash: 3e9aea1d3bdd8c6c3b556af3e95ed900
humanhash: twelve-alanine-alabama-orange
File name:3e9aea1d3bdd8c6c3b556af3e95ed900
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:432'640 bytes
First seen:2022-01-15 22:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff3e4cda8b895030c8a915a582759da2 (7 x RaccoonStealer, 5 x RedLineStealer, 5 x CoinMiner.XMRig)
ssdeep 12288:8q+ikdOJqh7B6nwQiPC2OKulnK1RKRaB1riNg:Z8dOJM7MwQWM4UarP
TLSH T17094C010FB60C035F4B712F84AB6936DB92D3AA1576490CB63D42AEE5738AE1ED31317
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e9aea1d3bdd8c6c3b556af3e95ed900
Verdict:
Malicious activity
Analysis date:
2022-01-15 22:59:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4d1bcdbe-66ad-4470-a3f3-08eab915d8d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219558/
Detection(s):
Win.Dropper.Mikey-9917324-0
Create hunting rule

Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4315/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61e351061883c5ba4ed17809/reports/72faf5a1-5ca5-45b3-8a9c-cb1b802f36fa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba0e740e-8838-4268-b402-8e334efd354a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921288
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 22:56:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wez5iesqfk4wksbx7sey5aafamadxxnfcsamoemdri4bv3fztfba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220115-2wn44sfden/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
64c15d25cbe4e1ea425d67113cc16b83793a9e1b8609fb12b1df1240773a2905
MD5 hash:
febf084d39d1a87f077e1506abc6b294
SHA1 hash:
eda87896cf6844e32829074debacf77909a8e839
Link:
https://www.unpac.me/results/2bb50d38-3f25-4551-acbd-6be9599bc724/
SH256 hash:
3d60440ef713114797461bab0a4e378547efd12868831d54cf47df352beb353b
MD5 hash:
0b42ee88af63e86445ba3b427781a609
SHA1 hash:
931e4fe31076c4df59a8aacf3c562cfc04ea88af
Link:
https://www.unpac.me/results/2bb50d38-3f25-4551-acbd-6be9599bc724/
SH256 hash:
66658eb366c2f3feb0a26a64c979fc28d5d45adc8d99a2937331cf638b41a543
MD5 hash:
0e34bc3e80ffca21638de4b909d62bd8
SHA1 hash:
59b44c4722564a37e3a099c652d432b3dc12757d
Link:
https://www.unpac.me/results/2bb50d38-3f25-4551-acbd-6be9599bc724/
SH256 hash:
b133d412502ab9654837fc898e800503003bdda51480c711838a381aecb99942
MD5 hash:
3e9aea1d3bdd8c6c3b556af3e95ed900
SHA1 hash:
e4616c03e84a6ec43fa8744559442767ce414dc6
Link:
https://www.unpac.me/results/2bb50d38-3f25-4551-acbd-6be9599bc724/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b133d412502ab9654837fc898e800503003bdda51480c711838a381aecb99942

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b133d412502ab9654837fc898e800503003bdda51480c711838a381aecb99942

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1979904/
Cape
Cape
https://www.capesandbox.com/analysis/219558/

Comments


Avatar
zbet commented on 2022-01-15 22:55:26 UTC

url : hxxp://193.56.146.76/Proxypub.exe