MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
SHA3-384 hash: d9bd9597fbfe5149594209b051e210972d63b55151be80041c6d38e79ec26fa094fd46ed84cb5b2cb35fb4ab08592c93
SHA1 hash: e8328c960e000c606b36a3887bc5d154afcfc141
MD5 hash: a3ea7ddc9568c1c7fc4bc205e0714a40
humanhash: victor-zulu-crazy-fillet
File name:a3ea7ddc9568c1c7fc4bc205e0714a40.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:415'744 bytes
First seen:2023-02-06 09:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13dc564127b9f6b618808536c7e12f68 (12 x Smoke Loader, 12 x Tofsee, 9 x RedLineStealer)
ssdeep 6144:MrALvKg5tNDmPQTNF9b9lTCwN+07JwXNto6NwEDuk6o7:Mce0qPQv59l+iJwXNiWlDr
Threatray 14'415 similar samples on MalwareBazaar
TLSH T15094AE03DAF1BC53E91687729E1FC7E8379DF5518E19772912298E2F18711B2D3A3228
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0c24840404044440 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.7:4138

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a3ea7ddc9568c1c7fc4bc205e0714a40.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 09:10:57 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/28e50b94-8a48-4a85-a90f-f9ddf304e75e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360684/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63e0c2fb905a5ac3b9098a2c/reports/4c8ed0ab-c3ec-4b70-b955-ba0489eb5782/overview
Verdict:
Malicious
Labled as:
Ransom.788A61AA
Link:
https://www.hybrid-analysis.com/sample/b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c9f19d9-8acf-4997-9248-11be122a6089
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166411
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 09:06:07 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfms65qwesp7segwahagqcjsvp2vvc2k6ui36gguflkvqnpuelka._file
Verdict:
malicious
Similar samples:
54aafb51ff385a09a9b8b9607e14910f4a669ae15d0081e2cc6c3ce46c7cda74
RedLineStealer
72007bc3e32c3bcd2691352450d78cf8f6df5b58446b551ec93c681aa4286d7b
RedLineStealer
8f3216bf4138af68094d497d8dbf97ca09be75b8f43813d838fa89a39b532e4f
RedLineStealer
9dc555f3f656cd15f7a7a41d3b44050c1df4d51159825c0a023016545a05b024
RedLineStealer
a47f63687886345a020234f5783fb22b7eb8cdfd1636b4a7396971f82b19b341
RedLineStealer
b28761dcebdb2388cbe68dde67065b717b2e9bc1e062ff1c68780ca5faa20e73
RedLineStealer
dde4ae84602bcca68bf6f0083019a27aa8768876d149a96cca059652d5c99151
RedLineStealer
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
RedLineStealer
f061e1d95993dcfc7489306d19cb91a60d2026f9707c167be6c1dc2da7a32e9a
RedLineStealer
f465bc20dc2940cea44fba3ddd73fc997bd41e7be8d85151d9f1f75b27f61dbc
RedLineStealer
+ 14'405 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:bilod discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230206-k2q28ada43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.7:4138
Unpacked files
SH256 hash:
f1e65d2fb477a2eacb1dedfe236100e4b1630b5e5450463d89cf9e66b1af6760
MD5 hash:
ef45323b1905067239609c4d153255a3
SHA1 hash:
d652ca53fc109b61769b2eba0577bc51089f265e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6b1d6e3f-c124-4b9d-b91f-53d6f78debf5/
Parent samples :
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
SH256 hash:
56d331d10b814d3bf111a7be43ded93212f1a6538b7f1ed27b36ef01552c6ed4
MD5 hash:
ed50aef1e5392cc41f2f7ad564197b86
SHA1 hash:
79abf2fb46e76cd7ee994cf40120483a6181548c
Link:
https://www.unpac.me/results/6b1d6e3f-c124-4b9d-b91f-53d6f78debf5/
SH256 hash:
736c3be20841c64e8c3494022027e9cb478a3c34338fa576c02372bb1c1c6470
MD5 hash:
a21d55f20608a424700512cbe24c33f4
SHA1 hash:
5d7279d9107ed162f466a284a966df2195e3b511
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6b1d6e3f-c124-4b9d-b91f-53d6f78debf5/
Parent samples :
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
a373356377baa29111c9c78123b35689f35dd91d6b440262646078d6571cecf1
SH256 hash:
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
MD5 hash:
a3ea7ddc9568c1c7fc4bc205e0714a40
SHA1 hash:
e8328c960e000c606b36a3887bc5d154afcfc141
Link:
https://www.unpac.me/results/6b1d6e3f-c124-4b9d-b91f-53d6f78debf5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9592f761624/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2529227/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360684/
  
URLhaus
https://urlhaus.abuse.ch/url/2528642/

Comments