MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments 1

SHA256 hash:	bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d
SHA3-384 hash:	da05785564b5dd5fd71afa036fc8a75864602fb848007abfc3d0abfb0718b827f000641d0607bdbcfb18942941dfbda8
SHA1 hash:	3664428491197f73858aed7fe54b59106acc05eb
MD5 hash:	ea454f3392331641d3ce6e68958dd590
humanhash:	cardinal-kentucky-gee-red
File name:	ea454f3392331641d3ce6e68958dd590
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	376'832 bytes
First seen:	2022-06-08 22:37:16 UTC
Last seen:	2022-06-08 23:47:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d530938e11b87f5dcaab85f14604822a (5 x Amadey, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep	6144:zC+xGzg4LAb/zYC+gm0/+1sEqtm9DiDcnaOGcxjgNHaguKSVkkhnYO84:zCnvMTzYjT0/+1SyDiDktfMSVFnYf4
Threatray	5'025 similar samples on MalwareBazaar
TLSH	T1B284BF10B790C035F1B752F44DB98368BA3E7AA1AB3451CB62D51AED5738AE5EC3031B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	2dec1370399b9b91 (25 x RedLineStealer, 21 x Smoke Loader, 8 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ea454f3392331641d3ce6e68958dd590

Verdict:

Malicious activity

Analysis date:

2022-06-08 22:40:02 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5d28117e-edc9-4637-8fb6-03969475a8d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277918/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Raccrypt.GT.MTB.8796.22744.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/62a124e34c4e28fcf3ba70b3/reports/dff5b9b3-44c7-4a5d-a730-0110345a7ce1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/02a8127e-0e2e-4fc5-a342-77e24a262c01

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1009479

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-06-08 22:38:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7mrumlmushsunopsvi6m2q63rlvlrefti7rfjtqqdu7x6uaxwoq._file

Verdict:

malicious

RedLineStealer

43656b3aec1f1157f5f3bc34cad394d0653a74417a0203413066e57b39eb940c

RedLineStealer

5b27a94d4bc1f2d123666bcbab54f08c42d736953e9189e9ff917a256c8657a6

RedLineStealer

a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c

RedLineStealer

b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6

RedLineStealer

b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319

RedLineStealer

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

RedLineStealer

becad3c0c2a44f7add3f9cecbae0c18bb01023d86fbf69e1421e4b29ca1b9f7f

RedLineStealer

eb630c0e1afc2b423b0b70023546a85839bc97661ebd71ce3a73f1cae910420a

RedLineStealer

+ 5'015 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:unikalno discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220608-2kcxpscffj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.233.48.58:43014

Unpacked files

SH256 hash:

881234eff8f61ae71692d59172a1bc26a40b3da7030046e909b63b619f8340ef

MD5 hash:

07d8fe705e2bccefb056669fc96a1654

SHA1 hash:

d02ba122d60465e8031ba5d1deb1d3075c2fceaa

Link:

https://www.unpac.me/results/a8dbe007-3c75-4569-9721-7b13bfb850ae/

SH256 hash:

3368355655b5f5c91b265c66cd73f66091c08e656686102f7831384d89310380

MD5 hash:

ea686363d88e796528eceb716303e421

SHA1 hash:

3f6b344301188aacf37b75ec087862b5db8247b3

Link:

https://www.unpac.me/results/a8dbe007-3c75-4569-9721-7b13bfb850ae/

SH256 hash:

aa9b295d90d50a654661869c763ec71d52106f6e9008a65c5f70f32402a89f45

MD5 hash:

bb8a453dd9eb3083f6144bf7b95effc4

SHA1 hash:

30a7939beec821a304cc2ac441f13eb2e2c85b43

Link:

https://www.unpac.me/results/a8dbe007-3c75-4569-9721-7b13bfb850ae/

SH256 hash:

bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d

MD5 hash:

ea454f3392331641d3ce6e68958dd590

SHA1 hash:

3664428491197f73858aed7fe54b59106acc05eb

Link:

https://www.unpac.me/results/a8dbe007-3c75-4569-9721-7b13bfb850ae/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bfd91a316ca4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.