MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de
SHA3-384 hash:	2ee2b78b8ffeeb49de7934e33a2939b82b3ec5569a624404a20be93a07770a76892fa99169c931bd44e5707ca610d84d
SHA1 hash:	c6a84c596965914e5fec000be17ace81712beda1
MD5 hash:	3d2de2a6844ccb71b796ea8d45d425fc
humanhash:	october-berlin-summer-uncle
File name:	saved_photo_12_30_2021_14_32_nvidia_replay.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'383'232 bytes
First seen:	2021-12-31 08:29:16 UTC
Last seen:	2021-12-31 11:19:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9a4258c5d218cf6e5c500e8415d5f5ed (13 x RedLineStealer, 2 x RaccoonStealer)
ssdeep	98304:c9eiqMT+X7ic5fO63dQ7reGHt4BHWqXK7xwAi1wHBRFmUHIBPPQb:czqgMha7iG6WEK1wD16sUoBPP4
TLSH	T180163354A3CD64F9C80D01F2309748DFE22F5817E82AAFDE0A0EFA7A8D90953D7594C2
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

saved_photo_12_30_2021_14_32_nvidia_replay.exe

Verdict:

Malicious activity

Analysis date:

2021-12-31 08:29:47 UTC

Tags:

trojan rat redline opendir loader

Link:

https://app.any.run/tasks/ed711be0-252f-4e83-862d-abc20bca10b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/216904/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Searching for the window

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Stealing user critical data

Blocking the Windows Defender launch

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed yakes

Link:

https://www.filescan.io/uploads/61cebf8eec6c6c14a9fffb7e/reports/5c11d23e-1e4e-4e59-9fe2-1520f7266c7f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90d086c8-7522-4898-8f30-d30cee998a2e

Result

Threat name:

MicroClip RedLine

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/914263

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops script or batch files to the startup folder

Found malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected MicroClip

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-12-30 17:38:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7q2ttw7cls4ahche7ilclpiztwpnfvgjp4jlwxsw4pecmpr4hpa._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211231-kd6srsfcak/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

fe49323ce6e6b8936e6fb1e25687692222c23bacc4c9831e6fd1679b2f7900d3

MD5 hash:

3aeee5680bd7a63eb5fc0ac4d74af9f3

SHA1 hash:

cecf6129c95f6c47e7dd95b28417b617cb1e5c08

Link:

https://www.unpac.me/results/7a096de8-9ba7-4fe6-9f01-d096f6d685d8/

SH256 hash:

b9edbb5a0d94a8a724cc26c9fab185255bc38a133fbd182b458db8c46de49c8d

MD5 hash:

15c85f451165afb29fafc7e3f7f3721b

SHA1 hash:

1a2323d5cd3eaacff759aff9c78c0de688ad150d

Link:

https://www.unpac.me/results/7a096de8-9ba7-4fe6-9f01-d096f6d685d8/

SH256 hash:

cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de

MD5 hash:

3d2de2a6844ccb71b796ea8d45d425fc

SHA1 hash:

c6a84c596965914e5fec000be17ace81712beda1

Link:

https://www.unpac.me/results/7a096de8-9ba7-4fe6-9f01-d096f6d685d8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cfe1a9cedf12/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1476648205471428612?s=20

Cape

https://www.capesandbox.com/analysis/216904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample