MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1
SHA3-384 hash:	9a795d0ff46ec718165c0213f3de9c56513e8e4d2b284862f025942c4db389e880c23d3dd1bba8670b2fe1da8942f410
SHA1 hash:	96952fdffd090244a986e9fd603d434881864066
MD5 hash:	845b889989bad720eb796775536f36a1
humanhash:	network-wyoming-twenty-magnesium
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'732'096 bytes
First seen:	2023-10-04 21:53:38 UTC
Last seen:	2023-10-05 15:19:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bcb1724c5759c241360ff43b3a5eb6aa (2 x RedLineStealer)
ssdeep	24576:d2U/Y/LG8fsksvYS0NU3e0FUTdW98lo0Oo:d2UAtsksvY1+mBWPB
Threatray	71 similar samples on MalwareBazaar
TLSH	T1E5856B7039E1816DFDF220B74EDCB566857CA0A41B2745C7A3894EEA9E243FC2E315D2
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://171.22.28.213/3.exe

Intelligence

File Origin

# of uploads :

# of downloads :

426

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://sunbabsco.com/wp-download/software/zip.7z

Verdict:

Malicious activity

Analysis date:

2023-10-05 15:29:52 UTC

Tags:

privateloader evasion opendir loader risepro stealer redline gcleaner ransomware stop stealc hijackloader tofsee botnet arkei vidar trojan amadey rat asyncrat remote raccoon recordbreaker danabot raccoonclipper danabot-unpacked g0njxa

Link:

https://app.any.run/tasks/b6cb2026-51d9-44e9-b5eb-cf62539b2d0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Pwsx-10008461-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e6a1ad46-5439-44d2-ad51-f675003ec0cf

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1319792

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-04 21:54:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xh3pvszdhbtzwbjqaulv6o6poyhopasmtauuupy2sokytqnfqdyq._file

Verdict:

malicious

RedLineStealer

5fc5e961e2adc131d04cfb81d63320befe3165222505062f03d2d706b627f1a7

RedLineStealer

82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39

RedLineStealer

84447b2534a241354998b6b6556f74c99775e160d0381466be29cfe8d804bf18

RedLineStealer

9cbdb8e2103328fcd51687a14b752ffb2d3a28a7d5de6cc2c912861070d65fe5

RedLineStealer

9f5289a682a53144b0a38d1af54d935194934188efb4cdb92127f3afe5f3753a

RedLineStealer

c235740f48d901ce404e6f78b01ad689ad01e9196b1be94b99b44960b8e86397

RedLineStealer

d99ad61e2c82cdee34498ec86c2eb31e39dd2be6c3469bf37f425f584b385bae

RedLineStealer

f37b36c1284b088c45a5ae76da926170f1228d7688ae8c5ec2b3e7e10565a52a

RedLineStealer

+ 61 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@oleh_ps infostealer spyware

Link:

https://tria.ge/reports/231004-1r7j8afc5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

176.123.4.46:33783

Unpacked files

SH256 hash:

4e83568c459797dd0575b356e6277bb0dfffb69a6b2f62d99edf1d2e7fc42a50

MD5 hash:

8834a7da4186e3a88abacd1658516660

SHA1 hash:

2c31a825b66c4acca93dbb960a769d0413c3dee9

Detections:

redline

Link:

https://www.unpac.me/results/ebb66ad4-054c-4ad1-ae90-afdba861286a/

Parent samples :

c235740f48d901ce404e6f78b01ad689ad01e9196b1be94b99b44960b8e86397
b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1
39c4303243f8ba84b1aa745c8ed21f8c0429a01a8a8762a78b26861ddbf2b8a6
cbb6d29ab30553cf427559c8981d6dbd8f79adbfff8d440d313264b5511c7608

SH256 hash:

b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1

MD5 hash:

845b889989bad720eb796775536f36a1

SHA1 hash:

96952fdffd090244a986e9fd603d434881864066

Link:

https://www.unpac.me/results/ebb66ad4-054c-4ad1-ae90-afdba861286a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b9f6facb2338/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2716401/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample