MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df33d8bbc8b1123c7e30d88ca29a206b0c26f4c4853a2511c7ee05f0c2bdfb1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	df33d8bbc8b1123c7e30d88ca29a206b0c26f4c4853a2511c7ee05f0c2bdfb1c
SHA3-384 hash:	1085ee9600d3fa9212137ad78567a67118bcdc170c1956c3182bab108d7fecbdebfe43487e69195c0fcd17aee397ac99
SHA1 hash:	3f9c5e9230833022cb480a031dea2aa0f202baf3
MD5 hash:	94e9b5b4215913db506a9e6289f271d3
humanhash:	table-jersey-monkey-fillet
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'895'336 bytes
First seen:	2022-08-24 13:57:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	98304:TH0Z6t/S0+ja7UKOPM/Q7WsDDz2qIKM66zhXkkOd6kmLWRXUhreM:Tt+0UKOIQ7JlYZOvdYLWUrx
TLSH	T15A361273A25051A2C0F5CC3E943BBEE0B2F517E79B5164F2729BA6C22E125D1D32358B
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	fcbc3a0f0fa7c6c0 (2 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Logitech Z-906
Issuer:	Logitech Z-906
Algorithm:	sha1WithRSAEncryption
Valid from:	2021-12-02T17:49:44Z
Valid to:	2031-12-03T17:49:44Z
Serial number:	454f68c4614e039041e5af851cb9dc28
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d66eaf03204931fd078dcbd330cdbe4098d68284ecd7bc5009d3a21b37641b3f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc746114504_647227878?hash=YJGGPJKJT1ZmrGzwnZCIj1hWQVRnMxRB74cXZmyJt6P&dl=G42DMMJRGQ2TANA:1661348849:zQPWxR296b8KbYen4XOEzbkwWmUNZCejkGGPCzwzGQP&api=1&no_preview=1

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.21.176.128:8854	https://threatfox.abuse.ch/ioc/845172/

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-08-24 13:58:41 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7f66584c-0e67-4163-ae08-89e6491cde19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300867/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/63062e6e393b1c8c470cd6be/reports/50ccd782-4044-4367-ad1d-20b042a9a734/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8bc4eab0-4174-44c6-9cb3-0f3b0f58980a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1057024

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df33d8bbc8b1123c7e30d88ca29a206b0c26f4c4853a2511c7ee05f0c2bdfb1c/

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2022-08-24 13:58:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=34z5ro6iwejdy7rq3cgkfgranmgcn5gequ5ckeoh5yc7bqv57moa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220824-q9tqzafdb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

7447c0407f2b0135b16482eaeea8870dffd9c17c606ea43728757bd68a519ff5

MD5 hash:

70a1bc3e4c6909000e161059b72951b0

SHA1 hash:

7c8cea23978dc41b2fa4b3585edc8fbf2dc200a7

Link:

https://www.unpac.me/results/da47c6e7-ae52-431a-8b1a-fcac87e1179e/

SH256 hash:

f8e7f11984e199696e1546299837955c2e7b215cfc2ed91d608cd4a074ac62e1

MD5 hash:

c28a90f50f9c366844a528bc5cdc8870

SHA1 hash:

2f748d5f132289e30f68cfe0e2d7419b63ed5608

Link:

https://www.unpac.me/results/da47c6e7-ae52-431a-8b1a-fcac87e1179e/

SH256 hash:

df33d8bbc8b1123c7e30d88ca29a206b0c26f4c4853a2511c7ee05f0c2bdfb1c

MD5 hash:

94e9b5b4215913db506a9e6289f271d3

SHA1 hash:

3f9c5e9230833022cb480a031dea2aa0f202baf3

Link:

https://www.unpac.me/results/da47c6e7-ae52-431a-8b1a-fcac87e1179e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/df33d8bbc8b1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df33d8bbc8b1123c7e30d88ca29a206b0c26f4c4853a2511c7ee05f0c2bdfb1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300867/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample