MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6
SHA3-384 hash:	a5670ab191606c37f74005b77aecf13054e4ba527e02544e56d9980d01d354f9cd96bb4971d535978771b42713a2fe58
SHA1 hash:	4a25d7ec93bc262b4bd8ee172e870c7e9bb53756
MD5 hash:	00819499e555a62f4e0b0790dd5c5565
humanhash:	gee-angel-nuts-hamper
File name:	00819499e555a62f4e0b0790dd5c5565.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	430'080 bytes
First seen:	2022-09-29 09:38:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5ebd10798d6e27c0784976277a5dece1 (8 x Stop, 5 x GCleaner, 2 x Smoke Loader)
ssdeep	6144:QrVIkrWazXXRZ3tunMXV6mbTuV4NIj6qH/elH999wv0tWX0RwwVfgC:Q/SaTXXwnMdbaSNO67JdZ/Rk
Threatray	6'106 similar samples on MalwareBazaar
TLSH	T1A294F13476D2C871D56626304529CFE52BBFB9F16874864B3364239E6EB33809A7231F
TrID	39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.62.18.73:8721	https://threatfox.abuse.ch/ioc/858539/

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/314673/

Detection(s):

Win.Packed.Tofsee-9951336-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39928/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/633567b878d4acb349f36cbe/reports/e2e5bd78-63a0-4e2e-928a-51fe1d17e121/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a35c6a7c-f0c4-4000-a342-e382c5845216

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080028

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-09-29 09:39:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfxzctosjoubsuwfpdqi2pj6qs76frpnmpofmpfax36pm4ssrlta._file

Verdict:

malicious

RedLineStealer

0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72

RedLineStealer

273edab824d0747c92a3b989af59bc5c4ae7555c29e9c47c20af1ffbef81035e

RedLineStealer

66307798a05a9774f4d9ca4569ae44d81f738934d70797d2299d0289e5825e81

RedLineStealer

8687cbc1af069ebeaa71e1d86f3c0aff3460964a5d8d216dc3971451130ecc31

RedLineStealer

8db913c07fc29c54f1e2fc0dc08f89d9ac187cf253e72a3f5966ba58ed72b7b6

RedLineStealer

ec15d31bf11d68867c2f3a2dec4b6de9a15be7e15d9be18ce330e439b1e9aab2

RedLineStealer

+ 6'096 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2dwrk discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220929-lml1dsach3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

solpolas.com:8721

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0e0f5dec-6758-4870-970a-9735d26e823f

Unpacked files

SH256 hash:

23f1aedbfb13b9a58eeb46dfcca88d18b021efd0096fa4f62e0742f36ae6d557

MD5 hash:

28a4659f329a5e5361edd189a01a44b7

SHA1 hash:

cadd826bb53bfcaee19a128ecc742bac798083c2

Detections:

redline

Link:

https://www.unpac.me/results/6f1aa24f-9af6-4de7-9183-89d8b7632770/

Parent samples :

c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6
b30432c3fa683e21501f1ad3a45edd4de2db3c5764aa1bec41a88759af426bfb
6985cf21dddfea3de38364fc0916058b3a051e8a8c2b513ba4457f8f127909ae
cec3c06a9c91cd4440eaea2e319ac92e9db7b175f0bd83edd341b0debcda11e3
3aec9b933f1cb444270f6710618048c992db65e5382229ad3bf982fa63a88954

SH256 hash:

a4913e62ca955ffbe8afca1141e9f80202cea5264e4d8c3f8146dfb14828fc4e

MD5 hash:

098f75aef13346c613aec32e52c35d32

SHA1 hash:

8078d26b480c1ead6637e8c6a444254fd85ec0e2

Link:

https://www.unpac.me/results/6f1aa24f-9af6-4de7-9183-89d8b7632770/

SH256 hash:

b3d19a3bd965c0e4cb3aad68c08a0bdd1513f3605512e15312a8fc585fe3f3cd

MD5 hash:

2a7812b8c1ebc2f84b4a06d963e27ec3

SHA1 hash:

51f14f351b835c32ce9bd8f611e12e8d927be325

Detections:

redline

Link:

https://www.unpac.me/results/6f1aa24f-9af6-4de7-9183-89d8b7632770/

Parent samples :

c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6
6985cf21dddfea3de38364fc0916058b3a051e8a8c2b513ba4457f8f127909ae

SH256 hash:

c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6

MD5 hash:

00819499e555a62f4e0b0790dd5c5565

SHA1 hash:

4a25d7ec93bc262b4bd8ee172e870c7e9bb53756

Link:

https://www.unpac.me/results/6f1aa24f-9af6-4de7-9183-89d8b7632770/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c96f914dd24b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c96f914dd24ba81952c578e08d3d3e84bfe2c5ed63dc563ca0befcf672528ae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314673/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample