MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c
SHA3-384 hash:	77020ace2543e9af5a85ce633318077992124b4c4aac2e13195d38e2979ef50af2f83937b90a480afc7be25ea137397b
SHA1 hash:	6efc8ed22b32875f0d0e240eddf355e34fcf4513
MD5 hash:	0560f777b7ffa448adc77493b9b21eb5
humanhash:	arizona-virginia-vegan-colorado
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'045'984 bytes
First seen:	2022-09-09 01:33:47 UTC
Last seen:	2022-09-09 09:28:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	98304:I/ioRNHU0B+Ei9pUhGUz9iXNWMXGp9TuOxkz4nijSHFLUvnCv7r3iC+aCAS:IqyOEine9XpwbSiaUras
Threatray	2'668 similar samples on MalwareBazaar
TLSH	T1FB361273126441A9D4DCCC395537FEA071F21A3B8F01ACBBA6D97AC625370E5A233A47
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e8d090b2ccdacaec (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉
Issuer:	❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉❉
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-09-07T11:32:25Z
Valid to:	2032-09-08T11:32:25Z
Serial number:	4284f1ca9b87259f4b47bec475350022
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d4aaca3258e44be403d551fe4cf9644267ab4c7fa0c6883b1518f9def31f5301
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://www.psicomedodontoclinical.com.br/wp-content/uploads/2022/09/v07090.exe

Intelligence

File Origin

# of uploads :

# of downloads :

367

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-09 01:35:04 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/53f0f30e-58eb-497a-9a0a-432f477dff42

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/308892/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.13139.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

DNS request

Sending a custom TCP request

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/631a9813d06d9bc4c7ae7531/reports/d7493f53-a305-4730-9209-e497bf51220e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a429020e-f3e3-4cd5-98cd-325a4de813f0

Result

Threat name:

AsyncRAT, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1067524

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AsyncRAT

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-09-08 19:58:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 39 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zm67tkohgquhkg3sflrn7phc2bfumes5nks7nele447q6jom7sga._file

Verdict:

malicious

RedLineStealer

1b00cf03f26724d9e9cff35a8d3d2e42f2518827e9564513b348fc163de153b6

RedLineStealer

1fecd284567ab13f0c92dad3ae05fc2f4f1ad678de8bcceca62991f88990d090

RedLineStealer

2032f4c705391c616308c070f4aa16aed376c18cdc1deb207e8c9048edb0cce8

RedLineStealer

23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02

RedLineStealer

3d783630a9df4cc2fc3bed2bd696e006c4eb018ca419295fc1fc94010659ecac

RedLineStealer

408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f

RedLineStealer

7da2d1a4480abcd09e623396da276219ca59bebbb221a09f465f0f66ecc2a571

RedLineStealer

ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf

RedLineStealer

+ 2'658 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220909-by4z8sdcgq/

Behaviour

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Unpacked files

SH256 hash:

3c222b4def4fc7bcc84e396751ad66bebf6b6a063dc7f2eba5c4e8835189f542

MD5 hash:

d6c70c39d231068be468504d2a90218b

SHA1 hash:

b9fce2b266e606f25408e90717e04d425cf2e231

Link:

https://www.unpac.me/results/665f3f3a-95f3-4eaa-9e8b-b80db1af3eae/

SH256 hash:

54b349c779bd15f32ccd11e4b63dda6ba878a90d14d0243bf2592171cfeaa0f3

MD5 hash:

c7bd468f76484ca6a80d55878aef5570

SHA1 hash:

9dfd20ffd246028374dec9ac104f31fa9751fa58

Link:

https://www.unpac.me/results/665f3f3a-95f3-4eaa-9e8b-b80db1af3eae/

SH256 hash:

cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c

MD5 hash:

0560f777b7ffa448adc77493b9b21eb5

SHA1 hash:

6efc8ed22b32875f0d0e240eddf355e34fcf4513

Link:

https://www.unpac.me/results/665f3f3a-95f3-4eaa-9e8b-b80db1af3eae/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cb3df9a9c734/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2296219/

Cape

https://www.capesandbox.com/analysis/308892/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample