MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9af74d012613351519954723549d89c27efb100d0fb3b5f577d477dbab3ab0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 8 File information Comments

SHA256 hash:	cf9af74d012613351519954723549d89c27efb100d0fb3b5f577d477dbab3ab0
SHA3-384 hash:	22c02f32e25cfa5700f57c801c9c2c6cc6887d7ad628169b2839d504f52c9362443781da111bb61fbd38fbd8b8d77973
SHA1 hash:	98bbb8043dfcf44f8f819f84359a932318aad69e
MD5 hash:	f706cce75434b58140c3ccda69067abd
humanhash:	video-rugby-georgia-tennessee
File name:	f706cce75434b58140c3ccda69067abd.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	163'328 bytes
First seen:	2021-12-01 02:53:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:pvg679lx4vpmUyKCpf2n+VjWDCpWDIecNwL4G1pSJZ2QAYWnUaZ:O6RlGmiAf2qWDC6IecNw1pSJ0PY
Threatray	2'973 similar samples on MalwareBazaar
TLSH	T13FF3E06277D0D961D94C6778886A82E003BBED56FD62524E3884723E1EB339B74C3687
File icon (PE):
dhash icon	b0f0d4d4d0c0f0c0 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
3.142.129.56:10757

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
3.142.129.56:10757	https://threatfox.abuse.ch/ioc/256730/

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order_Inv#54648.jpg.exe

Verdict:

Malicious activity

Analysis date:

2021-11-26 07:46:11 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/7d3b3c88-0fc7-43e6-939b-fdcfa00ac34b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/210148/

Detection(s):

SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

obfuscated packed spyagent

Link:

https://www.filescan.io/uploads/61a6e3909954e0c6bf7939a6/reports/1a37ef70-775d-4c20-9509-6236b98cef40/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

EngWUltimate

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4b1e97b-ff0a-42a2-8b84-193b040e8223

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/899129

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf9af74d012613351519954723549d89c27efb100d0fb3b5f577d477dbab3ab0/

Threat name:

ByteCode-MSIL.Trojan.InjectorX

Status:

Malicious

First seen:

2021-11-26 18:05:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 45 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6npotibeyjtkfizsvdsgve5rhbh56yqbuh3hnpvo7khpw5lhkya._file

Verdict:

malicious

RedLineStealer

6bf72815b7831a968d757e3f1634d06532b20071e28bcd8ae88d4a24537f06ba

RedLineStealer

7ea71314fdae6e28d4d58b1eec270e3d1d3cd64d646717814052fd3ef7ed7db2

RedLineStealer

859e64236c7d4720e0a2be0ecc3a289034b2c2ca7b136874dd6bcc649c79d8ba

RedLineStealer

d8b42431b63037e8b1a15670af84ec3c3f03fe1e397425d410b82a1a35c388a9

RedLineStealer

d9886bd374d41e121835cb726da295b753c5c6307949da904b1cf3b69bc1fcb9

RedLineStealer

fb53c4089e19cca8c8b8602ef0ae9c9614f3428b31cc7db4486a533d84195f84

RedLineStealer

+ 2'963 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:slim discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211201-dda8jachc4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

8.tcp.ngrok.io:10757

Unpacked files

SH256 hash:

5dc5ad6a8cc7cd1721a854c44cfca57243404d89d5cfeb60fdfc1a8ec2cba3aa

MD5 hash:

91f9634a8e890a3389fd89a634169fdf

SHA1 hash:

a3863858ec7c5b804072a73da5942d950caa5c57

Link:

https://www.unpac.me/results/186f8763-9a6b-4882-b100-d4095b292725/

SH256 hash:

e0a479fad51155272aac45fd46ccda31fa8ad3701186c27d9e41b441b880d650

MD5 hash:

71859d8f3f6a1e7d5b5edddef6128307

SHA1 hash:

96c1c26b1678e1c627ea267a0710bdad34f7bfc7

Link:

https://www.unpac.me/results/186f8763-9a6b-4882-b100-d4095b292725/

SH256 hash:

cf9af74d012613351519954723549d89c27efb100d0fb3b5f577d477dbab3ab0

MD5 hash:

f706cce75434b58140c3ccda69067abd

SHA1 hash:

98bbb8043dfcf44f8f819f84359a932318aad69e

Link:

https://www.unpac.me/results/186f8763-9a6b-4882-b100-d4095b292725/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cf9af74d0126/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf9af74d012613351519954723549d89c27efb100d0fb3b5f577d477dbab3ab0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/210148/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample