MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c
SHA3-384 hash: 80eb3e5a2cc8494cd526735d7b507b822b4bba4e6f6a27b218986a55eb03682c72867ebac596c782322619ac887ebc7f
SHA1 hash: 8e4cabd6ffb0c36d89bfb7ee9b7705a7d76fbb9f
MD5 hash: b278d2601750d7ad2090a7801e377396
humanhash: grey-alpha-crazy-mobile
File name:b278d2601750d7ad2090a7801e377396
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:579'584 bytes
First seen:2022-03-23 07:23:32 UTC
Last seen:2022-03-25 07:06:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:EelNd3FOcWAk+I2H6c8fq7z1aQS03ULaHNqrxlKIQNosBBqD1pr29nZO:E+Nd13k+fb1akEaHNYK3vBq/rSM
Threatray 1'853 similar samples on MalwareBazaar
TLSH T183C423E803867CEEC40F507DB905996F19EA8A60F9C338ED926306911BB9C57F0DD1B6
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255399/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/623acb55b94fb38cb4d7436d/reports/8300967d-be4c-4001-9f50-2fca4020b0b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cc4a2c9-4048-4e89-a1d3-99b2a99d76a8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962467
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-22 16:03:24 UTC
File Type:
PE (Exe)
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34lptu4tixa2hipnibh4nj6d4vecsuxe7i3kpej6wpg5zf4vbuoa._file
Verdict:
malicious
Similar samples:
25a1dd6991b1cb883351b337bf26ed84eaa84b276e9a430e34efa2265d058856
RedLineStealer
267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d
RedLineStealer
555f9877823f5f80c071719d9b384857f29eaee4fafd6aa1f921994fb412bf36
RedLineStealer
55a7d2b17477a6d16a1666e267e9bdbb1d6201b0fa07dfb20d2fb5a1b184024d
RedLineStealer
5a37e85ddf1b693cb2e938710a4fc0cea30062eb784ad5b8cecd0d1170d5da6f
RedLineStealer
5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603
RedLineStealer
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
6b737843eebb48068a3ef0bce32560eb1bb8b1db1ed2cd7018c8742b099ace17
RedLineStealer
81dd784ad8e4a6924b1b0ee5ebf09d3018e3bda4225f3c89439e8846cf5e09d9
RedLineStealer
de37420106874bb2eaf7cc28ca686306ef5dca083dab23c6555d524de13b449a
RedLineStealer
+ 1'843 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nam33 infostealer spyware
Link:
https://tria.ge/reports/220323-h8elnahea2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
103.133.111.182:44839
Unpacked files
SH256 hash:
98481d7defa722816a69300516d1f69dac11dc257fe0954e309119d59d1d5915
MD5 hash:
ad9476f77afbbd8a4302dae1d76e0c73
SHA1 hash:
84e7d0fe2c42086be27ae4847a563e5e76e8a358
Link:
https://www.unpac.me/results/aaabf015-8ada-4e35-9163-b63f15cb26bf/
SH256 hash:
4907a89e4f6198a1c5ce48df5e1570d676e4bf423e7f24f6a9e4da60b6822d2e
MD5 hash:
d73014b2d7e352cadcbea44d22932065
SHA1 hash:
92d731bfa4b459226c79f945d7b66d1e9c60567a
Link:
https://www.unpac.me/results/aaabf015-8ada-4e35-9163-b63f15cb26bf/
SH256 hash:
df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c
MD5 hash:
b278d2601750d7ad2090a7801e377396
SHA1 hash:
8e4cabd6ffb0c36d89bfb7ee9b7705a7d76fbb9f
Link:
https://www.unpac.me/results/aaabf015-8ada-4e35-9163-b63f15cb26bf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/df16f9d39345/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe df16f9d39345c1a3a1ed404fc6a7c3e5482952e4fa36a7913eb3cddc97950d1c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111864/
Cape
Cape
https://www.capesandbox.com/analysis/255399/

Comments


Avatar
zbet commented on 2022-03-23 07:23:44 UTC

url : hxxp://file-coin-coin-10.com/files/1051_1647952828_7301.exe