MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe
SHA3-384 hash: 6153b7d1827338bf973973c46c2c767b48e62d11a854cc074805cf93508002d6e9a227aeca9daf72c9501e30cf6582b8
SHA1 hash: 1d7ae17d3d402e3b3685c616dde83b3180b4607f
MD5 hash: 6e8e665f430f18704d7b55ce4e5eb94b
humanhash: fourteen-whiskey-golf-louisiana
File name:Quotation - RPT.0011339 - 5-7-2022.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:543'232 bytes
First seen:2022-07-05 06:40:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ka0er79GBePSVM+qlHT7QNnotY9IvsGrqew4SdC4sJ:ka0e39GBZZqzsNnoa9CrqV4EC4s
Threatray 4'357 similar samples on MalwareBazaar
TLSH T161C40214D2BD4B22C6B887F98140562907F7A3CE3A34FB4D8FC638C65619BC145A9FA7
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0c4d2d2c4f070 (11 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
2.58.56.239:16733

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.58.56.239:16733 https://threatfox.abuse.ch/ioc/797098/

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.9453.30797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c3dd00a9394d64214856ae/reports/cd0900da-57e4-410b-b1b7-c682e4db7487/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a97b3a8-40fa-45b5-8554-4f19211f87a8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024586
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 06:41:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gruuhbuzw3c5v35qqpxnwpdrzqtcnhqnn5tfyyjvtx5xdpxnd7a._file
Verdict:
malicious
Similar samples:
0bd49bd6eef0e96e0dd549eb7e3f4afdc49f6c2f1771ad644bd8d2bc4358b9d9
RedLineStealer
1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505
RedLineStealer
200278c00b708428eb0871bc1dcf4827da6598b15a94e58ac8f296de1957f209
RedLineStealer
33a19ea1c739df9fbb3a9f8d81efb67050339afc59e44c611f98ccdd66cc37fa
RedLineStealer
3f6c93773e47afcf964b6d01313d63b90dcdb8ac227cd7bb80b232fc924f5aac
RedLineStealer
4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119
RedLineStealer
51470b54c5f205002945f7a1977dcc11ffc35436335247181445d5afb9988740
RedLineStealer
bec6c14f97cb9bb63215ddd6dab22724d07dfbf633c45f6cb51265c1b6a61ec8
RedLineStealer
e28bc747ebb0dc285a8421699d80d05b3265c539a61e54c745777a772b871523
RedLineStealer
fef5b5b2db712c8e2e75ceef178f511cca8e4fa243ea0f18ced547c3c3ea275a
RedLineStealer
+ 4'347 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:blessedhand discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220705-hfr2aaegcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.58.56.239:16733
Unpacked files
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
SH256 hash:
2c5787e3ab35cd5cfbb4424f22a012a7c586c0470deb84fbfd7e1be6aee3dee0
MD5 hash:
f9222eba725e967506037021c7eac850
SHA1 hash:
93618b07f2d249dd63394ec4c379ebfedfc25f57
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
SH256 hash:
9df59c987fee6e576668360a76f65a4fc2f6cd362b7cff12aa9d59a80b48420c
MD5 hash:
05169d2c17e461566b5412f6e5d5973f
SHA1 hash:
64704822051eb44bd8715c6b63ac45c55493e86c
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
SH256 hash:
1ac21d4ea4b9671dfdbbf6cbbc27f9b83803b47c1d2405d5e2b2231c3fe6f8a8
MD5 hash:
f03918f929b7f6d4ac4bcf04b5365a45
SHA1 hash:
1a28d96735c27600b7bb6502e8a899a0d9fd1018
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
SH256 hash:
d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe
MD5 hash:
6e8e665f430f18704d7b55ce4e5eb94b
SHA1 hash:
1d7ae17d3d402e3b3685c616dde83b3180b4607f
Link:
https://www.unpac.me/results/b0a1708d-b0a4-4888-a437-2165a6e223d2/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9a34a1c34cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments