MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb
SHA3-384 hash: 5044b26a9b1ed5117eba2403a13f153e48af8d9ce5032ad83c16e29a339ee165b376a9e9ff6b934c304ecf6adb10ca42
SHA1 hash: cbc26d6ff42f42d6f3094ce3a6e12c6e0f0f1ac8
MD5 hash: 90c9ca0022bbb3036cf54d8f0e1b6415
humanhash: paris-fillet-paris-echo
File name:90c9ca0022bbb3036cf54d8f0e1b6415
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'791'768 bytes
First seen:2022-04-20 19:19:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep 49152:utMczvpvqsDbXE6Ml8W6aP1OdL49ZEIS4Cs9l:utMczhiYNMl8W6aP4dOZLd
TLSH T1E285BFE38712024AF553A436902F6E6D33762232578FB873278C1EDAE32B3D54569B17
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265232/
Detection(s):
Win.Packed.Sabsik-9945142-0
Create hunting rule

Win.Packed.Sabsik-9945143-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62605d20eab80a7a6c4d2d6f/reports/3c1ec7a6-f120-46b0-91ec-de41c5c0b82e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/daf24f1d-97d0-4879-b322-57172e2874d0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/979956
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb/
Threat name:
Win32.Spyware.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 19:20:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220420-x132lsggcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.106.191.253:4752
Unpacked files
SH256 hash:
dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb
MD5 hash:
90c9ca0022bbb3036cf54d8f0e1b6415
SHA1 hash:
cbc26d6ff42f42d6f3094ce3a6e12c6e0f0f1ac8
Link:
https://www.unpac.me/results/1854d74d-9d3b-408b-999c-5779d76d043b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dd9f4c3e48d8717da1e69bb6798822fd12c4e96218424de6a8e8dd49ad76fdcb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/265232/
  
URLhaus
https://urlhaus.abuse.ch/url/2157168/

Comments


Avatar
zbet commented on 2022-04-20 19:19:54 UTC

url : hxxp://212.192.246.121/8ZCTBLxD/@gvfjsd%20(3).exe